> Maybe it's better to handle atomically chain and rules creation ? > (and avoid need to rollback if 1 iptables command fail ) looks better, yes. Did you already check how shorewall handles that?