ip6tables-restore

View documentation for the original command

$ tldr iptables-restore

ip6tables-restore [-c|--counters] [-n|--noflush] [-v|--verbose] [-h|--help] [-t table|--table table]

-c, --counters
    Restore the byte and packet counters for each rule from the input. Without this option, counters are reset to zero upon restoration.

-n, --noflush
    Do not flush the existing table before restoring. This option is dangerous as it can lead to duplicated or inconsistent rules if not used carefully, as rules from the file will be appended to existing ones.

-v, --verbose
    Display verbose information during the restoration process, showing details of operations being performed.

-h, --help
    Show the help message for the command and exit.

-t table, --table table
    Restore only the specified table (e.g., 'filter', 'nat', 'mangle', 'raw', 'security'). If not specified, all tables found in the input are restored.

ip6tables-restore is a utility used to restore IPv6 firewall rules (chains, rules, and tables) from a text file into the Linux kernel's ip6tables (Netfilter) framework. This file is typically generated by the ip6tables-save command. It reads rules from standard input or a specified file and applies them efficiently. This command is crucial for persistence, allowing administrators to save and reload firewall configurations across reboots or for quick deployment of complex rule sets.

By default, ip6tables-restore flushes all existing rules in the specified tables before loading new ones, ensuring a clean slate. It then parses the input file line by line, adding the rules to the appropriate tables and chains, making the restoration process robust and idempotent.

• Requires root privileges to run successfully, as it modifies kernel-level firewall rules.
• By default, it flushes all existing rules in the specified tables before loading new ones. Using -n (--noflush) bypasses this, which can result in rule duplication or unintended firewall behavior if the input file contains rules already present.
• Incorrectly formatted input files can lead to errors or an incomplete/corrupted firewall configuration. Always ensure the input file was generated by ip6tables-save or adheres strictly to its output format.
• While designed for robustness, it's prudent to test new rule sets in a controlled environment before deploying to production, especially when dealing with complex configurations.

ip6tables-restore commonly reads its rule set from standard input. This enables powerful piping capabilities, such as `ip6tables-save | ip6tables-restore` (though redundant for a single host) or `ssh user@remote 'ip6tables-save' | ip6tables-restore` to replicate firewall rules between hosts.

The command performs its operations in an atomic manner. This means that either all rules are successfully restored, or none are, preventing a partially configured or inconsistent firewall state if an error occurs during the process.

ip6tables-restore is an integral part of the ip6tables suite, which in turn is a component of the broader Netfilter project for the Linux kernel. Its development paralleled the increasing adoption of IPv6, providing a consistent and robust method for managing IPv6 firewall rules, mirroring the functionality already established for IPv4 with iptables-restore. It ensures that complex firewall configurations can be saved, reloaded, and maintained efficiently across system reboots and deployments, reflecting the continuous evolution of Linux networking capabilities.

ip6tables(8), ip6tables-save(8), iptables(8), iptables-restore(8), netfilter(7)