Huang, Tao wrote at 2010-06-20 09:42 -0600: > On Sun, Jun 20, 2010 at 10:07 PM, green <greenfreedom10@gmail.com> wrote: > > However, iptables scripts usually begin with a flush, and then it takes time to > > add all those rules, plus some possible interruption to traffic meanwhile. > > What about if only a small change has been made? Does iptables-restore flush > > first, or is it able to just change the rule set as necessary to match? (And > > is there a term used to describe that feature?) > > in the man page of iptables-restore: > > -n, --noflush Ah yes, I missed that. So iptables-restore does not include intelligent modification of rules. > > If iptables-restore does not support that, does anyone know of another tool > > (available the repositories) that I can use that would allow me to write a > > parseable iptables rule set? > > use "diff" to show the differences between rule sets. use "iptables > -D/-A/-I" respectively to remove/add rules. I was hoping for a tool to do this for me. I can't think of an easy way to use the output of iptables-save and the new rules file to intelligently add/remove/insert rules. > > Thanks.
Attachment:
signature.asc
Description: Digital signature