Huang, Tao wrote at 2010-06-20 09:42 -0600: > On Sun, Jun 20, 2010 at 10:07 PM, green <[email protected]> wrote: > > However, iptables scripts usually begin with a flush, and then it takes > > time to > > add all those rules, plus some possible interruption to traffic meanwhile. > > What about if only a small change has been made? Does iptables-restore > > flush > > first, or is it able to just change the rule set as necessary to match? > > (And > > is there a term used to describe that feature?) > > in the man page of iptables-restore: > > -n, --noflush
Ah yes, I missed that. So iptables-restore does not include intelligent modification of rules. > > If iptables-restore does not support that, does anyone know of another tool > > (available the repositories) that I can use that would allow me to write a > > parseable iptables rule set? > > use "diff" to show the differences between rule sets. use "iptables > -D/-A/-I" respectively to remove/add rules. I was hoping for a tool to do this for me. I can't think of an easy way to use the output of iptables-save and the new rules file to intelligently add/remove/insert rules. > > Thanks.
signature.asc
Description: Digital signature
