> >>so maybe iptables-restore can do the job the apply rules chain by chain. > > just tested with iptables-restore, it's work really fine. > If 1 rule is wrong, the whole rulesets are not apply. So it's atomic, and don't need > to manage rollback :) ok, great.