On Thursday 2011-05-05 14:14, Alex Bligh wrote: > What is the best way to programatically atomic add/replace an > entire chain. Assume the table has lots and lots of chains. Because table-replace is an atomic operation, so are all smaller operations based upon it. > Calling "iptables" itself is non-atomic. iptables does issue a table-replace, so it is atomic. -- Within the one rule you wanted to add. If you want to change multiple rules in one go, don't use iptables, use iptables-restore. > Opening a pipe to iptables-restore with "-n" passed > is an option provided I prefix the chains concerned > with "-F <chainname>" (I can't pass the whole thing > and avoid -n as the chain might have (say) 10 rules, > but there might be 100 chains, so this will > be grossly inefficient). However, looking at the > source, it appears merely to call do_command to > parse each line, and I can't see how this can be > atomic. do_command alone does not commit the result. restore is right in what it does. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
