On mån, 2008-05-12 at 12:52 +0200, Jan Engelhardt wrote: > On Monday 2008-05-12 12:21, Henrik Nordstrom wrote: > > >The other difference is that this gives "save" like capability to > >iptables-restore when used in a pipe, makging iptables-restore a more > >complete batch interface for talking to iptables which was the main > >motivation behind this. > > Example please :) as you know iptables-restore is basically just a batch wrapper around iptables, so everything iptables can do you can also do with iptables-restore. % iptables-restore -n *filter --list INPUT --rules [caller reads the output to figure out what to modify] --insert OUTPUT 2 -d 1.2.3.4 -J REJECT --insert INPUT 4 -s 1.2.3.4 -J DROP [caller wants to verify the result before commit] --list INPUT --rules COMMIT all in one single fetch/modify/upload operation. Or with the new version I am just about to submit, implementing this as a new --list-rules (-S) command: (just need to split out some other cleanup first..) % iptables-restore -n *filter --list-rules INPUT --add INPUT -s 1.2.3.4 -J DROP --list-rules INPUT COMMIT A new patch and a couple minor related ones coming shortly. Regards Henrik -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
