I knew I'd eventually remember why I subscribed to this list.... While working on enhancing my firewall, it occurred to me that it'd be real nice to have a 'swap chain' feature in iptables that is equivalent to the 'swap set' feature in ipset. Such a feature would minimize the amount of time that rules are unavailable when adding, changing or deleting them. At present, all the rules in the chain being modified are deleted, then the new rules are added. So there is a period of time, albeit brief, that rules are not available in that chain. Were there a 'swap chain' command, one could build a new chain of the changed rules, swap the new and old chains, then flush and delete the new (now old) chain. This would all but guarantee that no packets 'slip by' (are overlooked). Thanks, N -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
