On Thursday 2011-09-08 15:28, Hiroshi KIHIRA wrote:
>
>I propose to add a new command line option to iptables-restore.
I propose on top that it should be made the default, since half
tables are not really useful to anybody. (This has gone as far as to
people writing that iptables-apply script, and I'd love to see it
being replaced by something included in the C code instead.)
>In the situation that some tables are restored, each of tables are
>applied into the kernel space when the COMMIT statement was read from
>the input. If there was a syntax error in rules, iptables-restore
>will end without doing any modification to the table. However the
>table that was already committed into kernel space does not reverted.
>[...]
I am in favor of that. Though, I have to add, it actually misses the
inconsistency case {syntax is accepted, but the options are rejected
by the kernel}.
What would probably be most desirable is that iptables-restore keeps
copies in memory of each table it attempted to touch,
for the eventual case of a rollback.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
