green wrote at 2010-06-20 12:54 -0600: > Huang, Tao wrote at 2010-06-20 09:42 -0600: > > On Sun, Jun 20, 2010 at 10:07 PM, green <greenfreedom10@gmail.com> wrote: > > > However, iptables scripts usually begin with a flush, and then it takes time to > > > add all those rules, plus some possible interruption to traffic meanwhile. > > > What about if only a small change has been made? Does iptables-restore flush > > > first, or is it able to just change the rule set as necessary to match? (And > > > is there a term used to describe that feature?) > > > > in the man page of iptables-restore: > > > > -n, --noflush > > Ah yes, I missed that. So iptables-restore does not include intelligent > modification of rules. Hmm, maybe iptables-restore is what I want after all: http://lists.debian.org/debian-user/2007/03/msg03772.html And I think this answers my question: http://www.faqs.org/docs/iptables/saveandrestore.html So iptables-restore should work much faster than separate iptables commands in a script. I will attempt to write a script that builds an iptables-save file and inserts the entire rule-set in one invocation. I could simply use a iptables-save file directly but I require good readability, and I don't think I can mix tables in the iptables-save file. Comments welcome.
Attachment:
signature.asc
Description: Digital signature