Re: patch: policy update by id

[Thomas Graf <tgraf@xxxxxxx>]

* Herbert Xu <20050428032045.GA24041@xxxxxxxxxxxxxxxxxxx> 2005-04-28 13:20
> On Wed, Apr 27, 2005 at 11:16:00PM -0400, jamal wrote:
> > On Thu, 2005-28-04 at 12:56 +1000, Herbert Xu wrote:
> > 
> > > Well netfilter certainly follows this scheme:
> > > 
> > > $ iptables -I INPUT -s 3.3.3.3 -d 4.4.4.4 -j ACCEPT
> > > $ iptables -I INPUT -s 3.3.3.3 -d 4.4.4.4 -j ACCEPT
> > > $ iptables -v -L INPUT -n
> > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> > >  pkts bytes target     prot opt in     out     source               
> > > destination 
> > >     0     0 ACCEPT     all  --  *      *       3.3.3.3              
> > > 4.4.4.4     
> > >     0     0 ACCEPT     all  --  *      *       3.3.3.3              
> > > 4.4.4.4     
> > 
> > Which is bizare to say the least. If you delete, only the first one gets
> > deleted.
> 
> It isn't that strange.  It's also done using indices except that the
> indices aren't fixed.  Do delete the second rule you would say
> 
> iptables -D INPUT 2

Except for when another iptables instance has modified the ordering of
the rules by inserting or deleting a rule in the meantime. Please do
not adopt this scheme, it's completely unreliable.