ip6tables-restore

View documentation for the original command

$ tldr iptables-restore

ip6tables-restore [-c] [-f] [-h] [-n] [-t table] [-v] [-V] [-w[=seconds]] [file]

-c, --counters
    Restore values of all packet and byte counters from input.

-f, --force
    Continue processing despite parse or restore errors.

-h, --help
    Display help message and exit.

-n, --noflush
    Do not flush existing chains or counters before restore.

-t, --table name
    Restore rules only for the specified table (e.g., filter).

-v, --verbose
    Enable verbose output during restoration.

-V, --version
    Print version information and exit.

-w, --wait[=seconds]
    Wait for xtables lock (default: forever if no seconds).

ip6tables-restore is a command-line utility for restoring IPv6 packet filtering rules into the Linux kernel's netfilter framework. It reads input from a file or standard input, typically generated by ip6tables-save, which dumps table structures, chains, rules, and counters in a human-readable format. The tool parses this data and applies it atomically, ensuring consistent firewall state restoration.

This is crucial for system administrators managing IPv6 firewalls, allowing quick backups and restores of complex rulesets across reboots or migrations. By default, it flushes existing rules before loading new ones, but options like -n prevent this for incremental updates. Counters can be preserved with -c, and specific tables targeted via -t. Verbose mode aids debugging, while -f forces continuation on parse errors.

Input format includes lines like *filter, :INPUT ACCEPT [0:0], -A INPUT -s ::1 -j ACCEPT, and COMMIT. Requires root privileges or CAP_NET_ADMIN. Commonly used in scripts: ip6tables-save > rules.v6; ip6tables-restore rules.v6.

Input must match ip6tables-save format exactly; malformed input fails unless -f used. Requires root or CAP_NET_ADMIN. Not for runtime incremental adds—use ip6tables instead. IPv6-only; use iptables-restore for IPv4.

Developed as part of the Netfilter project for Linux kernel IPv6 support (circa kernel 2.6+). Mirrors iptables-restore functionality, with ongoing updates in iptables 1.4+ and nftables transition era. Maintained by netfilter core team.

ip6tables-save(8), ip6tables(8), iptables-restore(8), xtables-lock(8)