On Mon, 28 Jun 2021 11:23:36 +0200 Alessandro Vesely <vesely@xxxxxxx> wrote: > I left old values commented out, rather than deleting them. I try and use the same names for shell variables, names in rt_tables and iptables. Device names differ. I annotate these cross referencing in comments. > > That way, I can then use shell variables in iptables commands as in the next snippet below. How do you handle renumbering otherwise? The desire to expand shell variables is not a compelling argument for eschewing the obvious benefits of using iptables-restore(8). Consider the following. iptables-restore <<EOF || exit *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eutelia_in [0:0] :externa_in [0:0] :fastweb_in [0:0] :interna_in [0:0] -A INPUT -i $interna_if -j interna_in -A INPUT -i $eutelia_if -j eutelia_in -A INPUT -i $fastweb_if -j fastweb_in -A INPUT -i lo -j ACCEPT -A INPUT -i tun0 -j externa_in # and so on ... COMMIT EOF Now you benefit from atomicity (the rules will either be committed at once, in full, or not at all) and proper error handling (the exit status value of iptables-restore is meaningful and acted upon). Further, should you prefer to indent the body of the heredoc, you may write <<-EOF, though only leading tab characters will be stripped out. -- Kerin Millar
