What is the best way to programatically atomic add/replace an entire chain. Assume the table has lots and lots of chains. Calling "iptables" itself is non-atomic. I could build an entire replacement chain with a different name (through repeated calling of iptables -A), then change the jump statement that calls it. But that seems horribly inefficient. Opening a pipe to iptables-restore with "-n" passed is an option provided I prefix the chains concerned with "-F <chainname>" (I can't pass the whole thing and avoid -n as the chain might have (say) 10 rules, but there might be 100 chains, so this will be grossly inefficient). However, looking at the source, it appears merely to call do_command to parse each line, and I can't see how this can be atomic. Also, I'd like to avoid the fork(). The FAQ seems to suggest calling any form of library API is bad. Any ideas? -- Alex Bligh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
