I knew I'd eventually remember why I subscribed to this list....
While working on enhancing my firewall, it occurred to me that it'd be real
nice to have a 'swap chain' feature in iptables that is equivalent to the
'swap set' feature in ipset.
Such a feature would minimize the amount of time that rules are unavailable
when adding, changing or deleting them. At present, all the rules in the chain
being modified are deleted, then the new rules are added. So there is a period
of time, albeit brief, that rules are not available in that chain.
Were there a 'swap chain' command, one could build a new chain of the changed
rules, swap the new and old chains, then flush and delete the new (now old)
chain. This would all but guarantee that no packets 'slip by' (are
overlooked).
Thanks,
N
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
