* how to delete *some* netfilter rules?
@ 2002-06-14 16:18 Pavel Mores
2002-07-05 11:49 ` Jan Humme
0 siblings, 1 reply; 3+ messages in thread
From: Pavel Mores @ 2002-06-14 16:18 UTC (permalink / raw)
To: netfilter
Hello,
the problem I'm facing now might well be already solved by someone else
so I thought I'd better ask.
My filter table is filled by several separate independent scripts, each
serving a distinct purpose. Say that I use one script to generate
firewalling rules and another to enter a couple of packet accounting
rules needed by a monitoring subsystem. Now, what if I want to flush
the firewalling rules *without* disturbing the traffic monitoring rules?
It certainly is possible to add to the firewall script a "delete_rules"
function that would basically mimic my "insert_rules" function, only
with -D instead of -A or -I. But this tends to be ugly and avoiding the
need to edit 2 places for every single change is not easy in bash (can't
use perl there).
I thought about placing rules with different purpose into different user
chains, like, having a "FIREWALL-INPUT", "FIREWALL-FORWARD",
"TRAFFIC-MONITOR" etc. chains that would be called from the predefined
chains. Resetting a subsystem would mean just flushing one or two
user-defined chains. Well, this *is* simple but it assumes that rules
entered by different subsystems can't be traversed in arbitrary order -
which might turn out a severe limitation.
Basically, what I'm looking for is a way to mark rules with "owner" or
"user" id and then just say "delete any rule where the owner is
firewall". Does anyone know a simple and robust way how to handle this?
Thanks in advance.
pvl
P.S. Please Cc: your replies to me since I'm not subscribed to this
list.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: how to delete *some* netfilter rules?
2002-06-14 16:18 how to delete *some* netfilter rules? Pavel Mores
@ 2002-07-05 11:49 ` Jan Humme
2002-07-05 13:57 ` Martin Tomasek
0 siblings, 1 reply; 3+ messages in thread
From: Jan Humme @ 2002-07-05 11:49 UTC (permalink / raw)
To: Pavel Mores, netfilter
On Friday 14 June 2002 18:18, Pavel Mores wrote:
> Hello,
>
> the problem I'm facing now might well be already solved by someone else
> so I thought I'd better ask.
>
> My filter table is filled by several separate independent scripts, each
> serving a distinct purpose. Say that I use one script to generate
> firewalling rules and another to enter a couple of packet accounting
> rules needed by a monitoring subsystem. Now, what if I want to flush
> the firewalling rules *without* disturbing the traffic monitoring rules?
>
> It certainly is possible to add to the firewall script a "delete_rules"
> function that would basically mimic my "insert_rules" function, only
> with -D instead of -A or -I. But this tends to be ugly and avoiding the
> need to edit 2 places for every single change is not easy in bash (can't
> use perl there).
Your bash script could look like this:
#!/bin/bash
ADD=-A
INS=-I
if [ -n "$1" ]; then
if [ "$1" != "delete" ]; then
echo usage: $0 [delete]
exit 1
fi
ADD=-D
INS=-D
fi
#examples:
iptables $ADD INPUT -i eth0 10.0.0.0/8 -j DROP
iptables $INS OUTPUT -i eth0 192.168.0.0/16 -j DROP
# etc etc etc
Now:
1) If you run your script w/o any parameter, it works like today.
2) If your provide the text "delete" as the second parameter, it deletes all
the rules.
3) In all other cases, it prints an error message.
>P.S. Please Cc: your replies to me since I'm not subscribed to this
list.
Please do.
Jan Humme.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-07-05 13:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-14 16:18 how to delete *some* netfilter rules? Pavel Mores
2002-07-05 11:49 ` Jan Humme
2002-07-05 13:57 ` Martin Tomasek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.