On Wednesday 2012-05-23 23:25, Neal Murphy wrote: >I knew I'd eventually remember why I subscribed to this list.... > >While working on enhancing my firewall, it occurred to me that it'd be real >nice to have a 'swap chain' feature in iptables that is equivalent to the >'swap set' feature in ipset. >Such a feature would minimize the amount of time that rules are unavailable >when adding, changing or deleting them. At present, all the rules in the chain >being modified are deleted, then the new rules are added. So there is a period >of time, albeit brief, that rules are not available in that chain. What, never heard of iptables-restore? Atomic replace has been in iptables since a long long time. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
