From: "Bo Jacobsen" <subs@systemhouse.dk>
To: netfilter@lists.netfilter.org
Subject: Re: Fw: iptables-save/restore question
Date: Wed, 18 Sep 2002 15:12:00 +0200 [thread overview]
Message-ID: <002901c25f14$fd82fd40$6307a8c0@net> (raw)
In-Reply-To: 3D8723F6.50904@fugmann.dhs.org
> Bo Jacobsen wrote:
> > I run some iptables commands then run iptables -L -n > testfile1 to save the setup.
> > Then I run iptables-restore testfile1 and than run iptables-save again:
> > iptables -L -n > testfile2
> Why don't you use 'iptables-save' to save the rules?
I do, but by this procedure I try to verify that running save and restore will do nothing to the rules and will produce the
same result as if running iptables commands directly from our scripts.
This of course assuming that the iptables -L -n is working.
My point is that IF there is a bug in either iptables-save or restore (with my rules) the diff command will show it.
>
> > The reason we want to make this test is that we need to be sure that the rules generated directly by
> > the iptables commands, are EXATLY the same as what the iptables-save/restore command pair does.
> Do you distrust the iptables-restore command. If you do, then insert
> each rule by hand (or through a script.). You cannot validate rules,
> the way you described above, even if the saved files were equal.
>
> Example: Assume a bug is present resulting in iptables -L -n lists all
> ip-addresses as 0.0.0.0/0. When you use iptables-restore, then the rules
> has 0.0.0.0/0 instead of the original ipnumbers. Even if
> iptables-save/iptables-restore produces the same results, you have not
> proven that iptables-save works, because the original rules did have
> other ipaddresses than 0.0.0.0/0.
That is "perfectly OK", because as long as the iptables-save/restore works, the rules are set as expected (I just
don't know it, as the diff shows no errors).
Of course if both iptables -L -n lists AND iptables-save/restore is not working, THEN it's no good, and we are all screed, but I
trust the netfilter programmers enough to bet that the chances of that happening, is very slim.
>
> >
> > One thing is to test that the iptable commands works, another is to blindly trust that our 300 iptable rules
> > are correctly saved and restored by iptables-save/restore (a firewall with 4 different local lans).
> What are you afraid of. iptables-restore not able to process 300 lines?
> You you trust it to read even 1 rule?
No comments.
.
>
> If you cannot trust iptables-restore then do not use it. If you trust
> it, then trust it enough the assume that iptables-restore would yeild an
> exit value <>0, if any error occured while setting the rules.
> Regards
> Anders Fugmann
>
>
> --
> Neo: 'Can you fly that thing?'
> Trinity: 'Not yet'.
> $ apt-get install pilot-prg-v212helicopter.
>
>
>
next prev parent reply other threads:[~2002-09-18 13:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-17 10:09 Fw: iptables-save/restore question Bo Jacobsen
2002-09-17 12:45 ` Anders Fugmann
2002-09-18 13:12 ` Bo Jacobsen [this message]
2002-09-17 13:39 ` Axel Heinrici
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002901c25f14$fd82fd40$6307a8c0@net' \
--to=subs@systemhouse.dk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.