On Thursday 2011-09-08 17:06, Eric Dumazet wrote:
>>
>> I am in favor of that. Though, I have to add, it actually misses the
>> inconsistency case {syntax is accepted, but the options are rejected
>> by the kernel}.
>>
>> What would probably be most desirable is that iptables-restore keeps
>> copies in memory of each table it attempted to touch,
>> for the eventual case of a rollback.
>
>Unfortunately, keeping a copy into userland memory is not enough to
>guarantee a rollback is possible in kernel land.
>
>You might be in an OOM situation preveting new (large) memory
>allocations.
If restoring the old table fails, no big deal, since we are already
in an inconsistent state anyway — caused by the rejection of the new
table —, so there is no additional loss AFAICS.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
