[Ipchains-dev] My (newbie) thoughts about netfilter

Paul Rusty Russell Paul.Russell@rustcorp.com.au
Tue, 31 Aug 1999 12:25:36 -0700

In message <E11LQ93-0003kA-00@mailgate.rz.uni-karlsruhe.de> you write:
> >> Is there an operation to atomically swap two chains? That way, one
> >
> >Atomically replace the rule pointing to the chain.
> That way, you need to have two chains, A and B. One is active, the
> other is being worked on. You'd need to keep track of which is the
> active version. I did this with ipchains, it's a pain to maintain.

I agree 8-(.  Would a `--rename-chain' option to iptables help?  It'd
be convoluted:

# iptables --rename-chain A tmp && \
	iptables --rename-chain B A && \
	iptables --rename-chain tmp B

But it'd work.

> >It's merely a pass-through rule; LOG is a side effect.  The next rule
> >will be examined.
> So I'd probably have a chain logdeny with two unconditional rules?
> ipchains -N logdeny
> ipchains -A logdeny -j LOG
> ipchains -A logdeny -j DENY

Exactly.  In fact, I'm tempted to separate limit from log (that way
you can use it to limit other things), something like:

# ipchains -N logdeny
# ipchains -A logdeny -j LIMIT --limit-rate 5 1
# ipchains -A logdeny -j LOG
# ipchains -A logdeny -j DENY

Hacking time.