On Thu, Sep 08, 2011 at 10:28:52PM +0900, Hiroshi KIHIRA wrote: > Hi, > > I propose to add a new command line option to iptables-restore. > The following patch introduces a new command line option which changes > the timing of the action of table commitment. > > In the situation that some tables are restored, each of tables are > applied into the kernel space when the COMMIT statement was read from > the input. If there was a syntax error in rules, iptables-restore > will end without doing any modification to the table. However the > table that was already committed into kernel space does not reverted. > It causes a inconsistency between the tables. (e.g., some marked > packets are dropped at filter table, but do not marked any packet at > mangle table) I think people should call iptables-restore -T to test the rule-set before, at least the first time the have saved the rule-set, to make sure that they don't run into inconsistencies. Applying the rule-set partially for one table may also result in inconsistencies, so I still don't see what we gain from allowing this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
