On Tue, Feb 12, 2008 at 11:24:16AM -0800, Tom Eastep wrote: > If I have chain foo with a jump to bar and I want to replace bar, then I > > a) create baz as replacement for bar > b) populate baz > c) Insert jump to baz just before existing jump to bar (with same predicates > as the existing jump) > d) delete existing jump to bar > e) flush bar > f) delete bar > g) rename baz to bar > > If I could atomically swap bar and baz, I could omit steps c and d and would > not have a small window where packets might go through both bar and baz.
Ah, should have seen that. On reflection, I'm being dim. Here's the slight modification to give an atomic solution with the current features: (starting from default empty tables) iptables -N foo iptables -N foo_ref iptables -A INPUT -j foo_ref iptables -A foo_ref -j foo (populate foo with your rules) Atomic switch operation: iptables -N new_foo (populate new_foo) iptables -I foo_ref 1 -j new_foo iptables -D foo_ref 2 iptables -X foo iptables -E new_foo foo The trick is that the insert of a new unconditional jump in foo_ref is itself an atomic operation, which renders the old jump inactive simply by position. This does, of course, require that the chain foo never '-j RETURN's. (There's still no way to atomically modify all the root chains at once) ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
