Andrew Suffield wrote: > On Tue, Feb 12, 2008 at 09:46:20AM -0800, Tom Eastep wrote: >> ursa:~ # iptables -L foo >> Chain foo (0 references) >> target prot opt source destination >> bar all -- anywhere anywhere >> ursa:~ # iptables -E bar baz >> ursa:~ # iptables -L foo >> Chain foo (0 references) >> target prot opt source destination >> baz all -- anywhere anywhere >> ursa:~ # > > Which is why it's not useful here - it has no effect on the structure, > it just changes the name, so it cannot be used as an > atomic-insert-of-many-rules. The necessary feature would be a 'swap > chains' command, that replaced all references to one existing chain > with references to another existing chain (not that I'm advocating > it). >
It is useful -- just not as useful as it might be. If I have chain foo with a jump to bar and I want to replace bar, then I a) create baz as replacement for bar b) populate baz c) Insert jump to baz just before existing jump to bar (with same predicates as the existing jump) d) delete existing jump to bar e) flush bar f) delete bar g) rename baz to bar If I could atomically swap bar and baz, I could omit steps c and d and would not have a small window where packets might go through both bar and baz. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
