Re: Creating rules without the /sbin/iptables command?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <jsullivan@opensourcedevelopmentcorp.com>
To: Victor Julien <victor@nk.nl>
Cc: Netfilter Developers List <netfilter-devel@lists.netfilter.org>
Subject: Re: Creating rules without the /sbin/iptables command?
Date: Thu, 18 Mar 2004 06:29:06 -0500	[thread overview]
Message-ID: <1079609346.2009.9.camel@localhost> (raw)
In-Reply-To: <40594EFE.2000004@nk.nl>

On Thu, 2004-03-18 at 02:25, Victor Julien wrote:
> Henrik Nordstrom wrote:
> > On Wed, 17 Mar 2004, Victor Julien wrote:
> > 
> > 
> >>This might be a big improvement, but it leaves me with one possible 
> >>problem. When adding and removing rules on-the-fly i can't use this 
> >>method, right?
> > 
> > 
> > You can. There is a --noflush option to iptables-restore to not flush the
> > existing rules, allowing you to use iptables-restore to add/modify/delete
> > existing rules without having to specify the whole ruleset.
> > 
> > 
> >>Wouldn't it be nice if there was an c function which i could call, which 
> >>would do all the checking and other stuff the commandline iptables does, 
> >>  but, because its a c-function, way faster? Would it be easy (or even 
> >>possible) to implement such a function?
> > 
> > 
> > Such C function would only be marginally faster than having a pipe to 
> > iptables-restore.
> > 
> > iptables-restore has the exact same capabilities as iptables, only 
> > difference is that iptables-restore is batch oriented compiling all your 
> > changes and then uploading them into the kernel in one single call while 
> > iptables makes one modification to the table per call.
> > 
> > iptables-restore accepts the exact same set of commands as iptables with 
> > only some minor syntactical sugar differences
> > 
> > Syntax for iptables-restore input is
> > 
> > *tablename
> > start working on rules in table "tablename". Equivalent to the -t option 
> > to iptables.
> > 
> > :chainname policy
> > specifies the default policy for chain "chainname". Equivalent to the 
> > iptables -P command. Probably also works just fine to use the -P command 
> > but I have not tried.
> > 
> > COMMIT
> > Uploads the current table (specified by *tablename) to the kernel.
> > 
> > #....
> > Input lines starting with # are assumed to be comments and are ignored
> > 
> > Any other lines are assumed to be iptables commands per the iptables 
> > syntax specification.
> > 
> > iptables commands may be prefixed by [packetcnt:bytecnt] which gets
> > automatically translated into --set-counters packetcnt bytecnt before the
> > command is executed within iptables-restore. The two syntaxes are
> > equivalent.
> > 
> > 
> > Don't be fooled by the fact that iptables-save only uses the -A command or
> > by the name iptables-restore. What iptables-restore is is a batch version
> > of iptables with all the capabilities of iptables, not just a tool to
> > restore complete tables saved by iptables-save.
> > 
> > Regards
> > Henrik
> > 
> > 
> 
> Okay, lets see if I understand what you mean. Say i have an initial 
> ruleset which looks like this, loaded with 'iptables-restore':
> 
> *filter
> :FORWARD DROP
> -A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
> -A FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
> -A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
> COMMIT
> 
> and sometime later i want to replace 192.168.0.2 by 192.168.0.4 (in 
> exacty the same place):
> 
> *filter
> :FORWARD DROP
> -D FORWARD -p tcp -s 192.168.0.2 --dport 80 -j ACCEPT
> -I FORWARD 2 -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
> COMMIT
> 
> and then 'iptables-restore -n', right?
I believe that is correct although I also believe you can dispense with
the :FORWARD DROP since you already had it in the first rule set and
could also use 
-R FORWARD 2 -p tcp -s 192.168.0.4 --dport -j ACCEPT
to just replace the rule although I confess to never having tried that
in an iptables-restore file
> 
> But the easiest way is to recreate the initial ruleset with the updated 
> rules would be:
> 
> *filter
> :FORWARD DROP
> -A FORWARD -p tcp -s 192.168.0.1 --dport 80 -j ACCEPT
> -A FORWARD -p tcp -s 192.168.0.4 --dport 80 -j ACCEPT
> -A FORWARD -p tcp -s 192.168.0.3 --dport 80 -j ACCEPT
> COMMIT
> 
> and then just call iptables-restore. This way i wont have to calculate 
> where i want to insert the rules, this can be quite complex on many 
> changes in large rulessets. Is this correct?
Yes, although when ISCS is released (http://iscs.sourceforge.net), it
will provide an alternative to having to track rule order (massive
oversimplification here but it is not the topic at hand).
> 
> The last method should still be way faster than my current method, i 
> guess. Is this right?
I have found it to be dramatically faster - John
> 
> Regards,
> Victor
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

next prev parent reply	other threads:[~2004-03-18 11:29 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-17 18:46 Creating rules without the /sbin/iptables command? Victor Julien
2004-03-17 19:25 ` Cedric Blancher
2004-03-17 20:59   ` Victor Julien
2004-03-18  8:56     ` Cedric Blancher
2004-03-17 21:34   ` Henrik Nordstrom
2004-03-17 21:34     ` Henrik Nordstrom
2004-03-17 21:53     ` Victor Julien
2004-03-17 23:08       ` John A. Sullivan III
2004-03-17 23:45       ` Henrik Nordstrom
2004-03-17 23:59         ` John A. Sullivan III
2004-03-18  1:15           ` Henrik Nordstrom
2004-03-18  1:30             ` John A. Sullivan III
2004-03-18  1:34             ` Scott MacKay
2004-03-18  8:17               ` Henrik Nordstrom
2004-03-18  7:25         ` Victor Julien
2004-03-18  8:07           ` Henrik Nordstrom
2004-03-18 12:49             ` Victor Julien
2004-03-18 23:45               ` Henrik Nordstrom
2004-03-19 19:01                 ` Victor Julien
2004-03-19 22:03                   ` Henrik Nordstrom
2004-03-19 22:16                     ` Victor Julien
2004-03-19 22:41                       ` Henrik Nordstrom
2004-03-19 22:56                         ` Victor Julien
2004-03-20  1:52                           ` Henrik Nordstrom
2004-03-18 11:29           ` John A. Sullivan III [this message]
2004-03-18 12:52             ` Victor Julien
2004-03-18 14:12               ` John A. Sullivan III
2004-03-23 16:23     ` Adding packet metadata Scott MacKay
2004-03-24  0:06       ` Henrik Nordstrom
2004-03-24  7:38         ` Mike-Ro-Chanel
2004-03-24  8:01           ` Henrik Nordstrom
2004-03-24  8:18             ` Mike-Ro-Chanel
2004-03-24 11:52         ` Scott MacKay
2004-03-24 15:05           ` Henrik Nordstrom
2004-03-17 23:04   ` Creating rules without the /sbin/iptables command? John A. Sullivan III

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1079609346.2009.9.camel@localhost \
    --to=jsullivan@opensourcedevelopmentcorp.com \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=victor@nk.nl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.