From: "John A. Sullivan III" <jsullivan@opensourcedevel.com>
To: "Oleg A. Arkhangelsky" <sysoleg@progtech.ru>
Cc: netfilter@lists.netfilter.org
Subject: Re: remove duplicate rules
Date: Mon, 28 Nov 2005 08:19:55 -0500 [thread overview]
Message-ID: <1133183995.2605.7.camel@localhost> (raw)
In-Reply-To: <686184511.20051126155508@progtech.ru>
On Sat, 2005-11-26 at 15:55 +0300, Oleg A. Arkhangelsky wrote:
> Hello amit,
>
> Saturday, November 26, 2005, 3:39:14 PM, you wrote:
>
> ap> same iptables. I want to stop this , if the same rule exists the iptables
> ap> should give some error or should add the same rule again .
> ap> Please help me .
>
> I think you should manually check the existence of possible
> duplicate before adding rule. Also you can do somethig like:
>
> iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
> iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>
> Then you will never get duplicates.
> But the first way is more correct.
>
Oleg's suggestion seems easiest and wisest. However, if you absolutely
must check for duplicate rules in an automated way, perhaps you can
adapt this bash scripting snippet that we use in the ISCS network
security management project (http://iscs.sourceforge.net) when we
dynamically alter iptables rules based upon the connecting user's X.509
certificate:
iptables -n -L VPN_ALLOW > /tmp/iptList
while read IPs
do
if [ "${IPs/" $PLUTO_PEER_CLIENT_NET "/}" != "$IPs" ]
then
echo "X509updown error message: A connection
already exists for $PLUTO_PEER_CLIENT_NET - connection refused" >&2
exit $ERRDupIP
fi
done < /tmp/iptList
. $PEPDIR/DNRead A
if [ "$?" != "0" ]
then
echo " DNRead exited abnormally with exit code $?">&2
fi
It basically dumps the rules of a particular chain to a file, parses the
file line by line and attempts to remove the proposed IP address. if it
finds a line which does include the IP address (ie., attempting to
remove the IP address actually does change the line), it fails. Hope
this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
next prev parent reply other threads:[~2005-11-28 13:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-26 12:39 remove duplicate rules amit pasari
2005-11-26 12:55 ` Oleg A. Arkhangelsky
2005-11-28 13:19 ` John A. Sullivan III [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-11-28 17:15 Derick Anderson
2005-11-28 23:50 ` /dev/rob0
2005-11-29 19:28 ` Steven M Campbell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1133183995.2605.7.camel@localhost \
--to=jsullivan@opensourcedevel.com \
--cc=netfilter@lists.netfilter.org \
--cc=sysoleg@progtech.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.