On Thursday 07 March 2002 10:24 am, Allan Sandfeld Jensen wrote: > Is it possible to do atomic updates of netfilter-rules? > I.e something like: > iptables lock > iptables -F > iptables -A .. > iptables -A .. > .. > iptables unlock
I do this sort of thing by creating a user-defined table, putting all my rules into it, and then creating a jump to that table from the system table I want it to apply to (usually FORWARD). When I want to change it, I create a new user-defined table (different name, leave the old one intact), put all the rules into it, and then insert the jump to the new table and remove the jump to the old one. I know the last two operations are not quite atomic, but depending on how your user-defined tables end (ie whether they continue processing with the table that called them), the newly-inserted one will usually over-ride the old one if you put it in front, or will not come into effect until you delete the old one if you put it after. > It would be even nicer, if this could be done without throwing all packets > that arrive in the meantime out. The connection table is not affected by updates to the tables, therefore this should achieve what you want without dropping any traffic. Antony Stone.
