Say I have 10,000 rules loaded. I now want to update them, so I edit my file and then run iptables-restore to load the new rules. During all this iptables is applying policy on packets. So, what happens between the time I start running iptables-restore and when it finishes it? Does it flush all the rules and then load the news ones? Does that mean during this time I don't have iptables enforcement going on? Or does Iptables-restore load all the rules in memory and then, when the commit happens, moves pointers around so that enforcement is in effect all the time? Another question I have is about connection tracking. Do they get flushed when we do a save-restore? Say we allowed 10.10.3.3 through, and currently connection tracking is tracking this IP. Now, we add a rule to block 10.10.3.3. But, connection tracking is allowing it through. How does one solve this problem? --joubert
