Michael Orlitzky <mich...@orlitzky.com> wrote: > > And my counterarguments: > > 1. The iptables-restore syntax is uglier and harder to read. > > 2. You get better error reporting calling iptables repeatedly. > > 3. The published interface will never change; iptables-restore reads an > input language whose specification is "whatever iptables-save outputs." > > 4. A bash script is far more standard and less confusing to your coworkers. > > 5. You can't script iptables-restore!
Well, actually you can script iptables-restore. In fact, you can write a function "ip4tables" which emulates the behaviour of ip4tables by storing data in variables which are then later passed to iptables-restore, and so the user sees almost no difference although race conditions are avoided. However, 3. is a severe problem for such complex functions. There should be an official way how to avoid races, e.g. if ip4tables itself would be able to successively extend an output file which can then be used for iptables-restore. If you have contact to the iptables developers, please suggest such a thing. Or maybe somebody has a bette idea?
