netdev
[Top] [All Lists]

Re: patch: policy update by id

To: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Subject: Re: patch: policy update by id
From: Thomas Graf <tgraf@xxxxxxx>
Date: Thu, 28 Apr 2005 13:43:08 +0200
Cc: jamal <hadi@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, netdev@xxxxxxxxxxx
In-reply-to: <20050428032045.GA24041@xxxxxxxxxxxxxxxxxxx>
References: <20050427233924.GA22238@xxxxxxxxxxxxxxxxxxx> <1114650816.7663.13.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428012135.GA22950@xxxxxxxxxxxxxxxxxxx> <20050428013014.GA23043@xxxxxxxxxxxxxxxxxxx> <1114653140.7663.36.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428020754.GA23326@xxxxxxxxxxxxxxxxxxx> <20050427194356.58a3e618.davem@xxxxxxxxxxxxx> <20050428025644.GA23823@xxxxxxxxxxxxxxxxxxx> <1114658160.7663.102.camel@xxxxxxxxxxxxxxxxxxxxx> <20050428032045.GA24041@xxxxxxxxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
* Herbert Xu <20050428032045.GA24041@xxxxxxxxxxxxxxxxxxx> 2005-04-28 13:20
> On Wed, Apr 27, 2005 at 11:16:00PM -0400, jamal wrote:
> > On Thu, 2005-28-04 at 12:56 +1000, Herbert Xu wrote:
> > 
> > > Well netfilter certainly follows this scheme:
> > > 
> > > $ iptables -I INPUT -s 3.3.3.3 -d 4.4.4.4 -j ACCEPT
> > > $ iptables -I INPUT -s 3.3.3.3 -d 4.4.4.4 -j ACCEPT
> > > $ iptables -v -L INPUT -n
> > > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> > >  pkts bytes target     prot opt in     out     source               
> > > destination 
> > >     0     0 ACCEPT     all  --  *      *       3.3.3.3              
> > > 4.4.4.4     
> > >     0     0 ACCEPT     all  --  *      *       3.3.3.3              
> > > 4.4.4.4     
> > 
> > Which is bizare to say the least. If you delete, only the first one gets
> > deleted.
> 
> It isn't that strange.  It's also done using indices except that the
> indices aren't fixed.  Do delete the second rule you would say
> 
> iptables -D INPUT 2

Except for when another iptables instance has modified the ordering of
the rules by inserting or deleting a rule in the meantime. Please do
not adopt this scheme, it's completely unreliable.

<Prev in Thread] Current Thread [Next in Thread>