On Tuesday 2009-03-31 14:32, Kristian Evensen wrote: >On Tue, Mar 31, 2009 at 2:28 PM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> >> On Tuesday 2009-03-31 14:03, Kristian Evensen wrote: >> >>>After looking more into this, it seems that checkentry is called for >>>every rule up to and including the one I added. For example, if give >>>each a unique ID and outputs the id, then the first three -A give me: >> >> checkentry is called for all rules, since whole tables are replaced >> every time you call iptables. > >Ok, that explains it. Is there a way to avoid this or is it simply the >way it is? The reason I want to avoid this is that I want to keep some >of the values stored in the existing rule's data structures while >being able to add new rules. Nope. iptables downloads the ruleset, adds your rule (without touching the rest), then uploads it again into the kernel, with all the side effects this implies (e.g. internal counters, such as for xt_statistic are reset). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
