From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Weinberger Subject: ip(6)tables-save: Allow chain selection Date: Sat, 1 Oct 2011 17:19:28 +0200 Message-ID: <1317482370-14982-1-git-send-email-richard@nod.at> To: netfilter-devel@vger.kernel.org Return-path: Received: from a.ns.miles-group.at ([95.130.255.143]:33111 "EHLO radon.swed.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750987Ab1JAPTh (ORCPT ); Sat, 1 Oct 2011 11:19:37 -0400 Sender: netfilter-devel-owner@vger.kernel.org List-ID: This patch set adds a switch to iptables-save to select a specific chain to be saved. Sometimes it's useful to save only one chain. E.g. When some rules are added dynamically by daemons like OpenVPN or strongSwan and the base rule set is generated by a bash script. Consider this trivial script: ---8<--- #!/bin/sh # save only the DYN_OVPN chain iptables-save -t filter -C DYN_OVPN > /tmp/dyn-rules iptables -F iptables -X iptables -A INPUT -s 1.2.3.4 -j ACCEPT # much more rules... iptables -A INPUT ... -j ACCEPT # OpenVPN can insert here rules which get not lost in case # the base rule set gets modified and reloaded. iptables -N DYN_OVPN iptables -A INPUT -i tun+ -j DYN_OVPN # restore DYN_OVPN chain iptables-restore -n < /tmp/dyn-rules rm -f /tmp/dyn-rules --->8--- [PATCH 1/2] iptables-save: Allow chain selection [PATCH 2/2] ip6tables-save: Allow chain selection