remove duplicate rules

remove duplicate rules

[amit pasari]

hello,
i have been using iptables for quite sometime , Now my problem is , if by 
make i add multiple type of same rule in iptables it accepts N number of 
entries . So can any body tell me how to aviod that or can i check the same 
rule exists before Appending it into the table.
Eg : iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
i have add the above rules 10 times 20 times but the system never says the 
above rule exist . Can anybody tell me how can i check or aviod .

My issue is not the performance point !! Actually i am running some scripts 
with add rules when user login and which delete some rules when they log 
out .  But some times this scripts mal performs and the entries doesn't get 
deleted  OR added . and the user again logs in it add one more rule to the 
same iptables.  I want to stop this , if the same rule exists the iptables 
should give some error or should add the same rule again .
Please help me .


thanks in advance .

amit

Re: remove duplicate rules

[Oleg A. Arkhangelsky]

Hello amit,

Saturday, November 26, 2005, 3:39:14 PM, you wrote:

ap> same iptables.  I want to stop this , if the same rule exists the iptables
ap> should give some error or should add the same rule again .
ap> Please help me .

    I think you should manually check the existence of possible
    duplicate before adding rule. Also you can do somethig like:

    iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
    iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP

    Then you will never get duplicates.
    But the first way is more correct.

-- 
Best regards,
 Oleg

Re: remove duplicate rules

[John A. Sullivan III]

On Sat, 2005-11-26 at 15:55 +0300, Oleg A. Arkhangelsky wrote:
> Hello amit,
> 
> Saturday, November 26, 2005, 3:39:14 PM, you wrote:
> 
> ap> same iptables.  I want to stop this , if the same rule exists the iptables
> ap> should give some error or should add the same rule again .
> ap> Please help me .
> 
>     I think you should manually check the existence of possible
>     duplicate before adding rule. Also you can do somethig like:
> 
>     iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>     iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
> 
>     Then you will never get duplicates.
>     But the first way is more correct.
> 
Oleg's suggestion seems easiest and wisest.  However, if you absolutely
must check for duplicate rules in an automated way, perhaps you can
adapt this bash scripting snippet that we use in the ISCS network
security management project (http://iscs.sourceforge.net) when we
dynamically alter iptables rules based upon the connecting user's X.509
certificate:

        iptables -n -L VPN_ALLOW > /tmp/iptList
        while read IPs
        do
                if [ "${IPs/" $PLUTO_PEER_CLIENT_NET "/}" != "$IPs" ]
                then
                        echo "X509updown error message: A connection
already exists for $PLUTO_PEER_CLIENT_NET - connection refused" >&2
                        exit $ERRDupIP
                fi
        done < /tmp/iptList
        . $PEPDIR/DNRead A
        if [ "$?" != "0" ]
        then
                echo " DNRead exited abnormally with exit code $?">&2
        fi

It basically dumps the rules of a particular chain to a file, parses the
file line by line and attempts to remove the proposed IP address.  if it
finds a line which does include the IP address (ie., attempting to
remove the IP address actually does change the line), it fails.  Hope
this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

RE: remove duplicate rules

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of 
> Oleg A. Arkhangelsky
> Sent: Saturday, November 26, 2005 7:55 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: remove duplicate rules
> 
> Hello amit,
> 
> Saturday, November 26, 2005, 3:39:14 PM, you wrote:
> 
> ap> same iptables.  I want to stop this , if the same rule exists the 
> ap> iptables should give some error or should add the same 
> rule again .
> ap> Please help me .
> 
>     I think you should manually check the existence of possible
>     duplicate before adding rule. Also you can do somethig like:
> 
>     iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>     iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
> 
>     Then you will never get duplicates.
>     But the first way is more correct.
> 
> --
> Best regards,
>  Oleg
> 

Just don't use that method remotely.

Derick Anderson

Re: remove duplicate rules

[/dev/rob0]

On Monday 2005-November-28 11:15, Derick Anderson wrote:
> >     I think you should manually check the existence of possible
> >     duplicate before adding rule. Also you can do somethig like:
> >
> >     iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
> >     iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
> >
> >     Then you will never get duplicates.
> >     But the first way is more correct.

> Just don't use that method remotely.

Sure, just do them as a single command separated by ";".
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: remove duplicate rules

[Steven M Campbell]

/dev/rob0 wrote:
> On Monday 2005-November-28 11:15, Derick Anderson wrote:
>   
>>>     I think you should manually check the existence of possible
>>>     duplicate before adding rule. Also you can do somethig like:
>>>
>>>     iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>>>     iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>>>
>>>     Then you will never get duplicates.
>>>     But the first way is more correct.
>>>       
>
>   
>> Just don't use that method remotely.
>>     
>
> Sure, just do them as a single command separated by ";".
>   
It occurs to me that some rules may indeed be present multiple times in 
a table.  For instance VOIP QOS where you regularily take an action 
based on TOS fields on input and later alter the TOS fields and perhaps 
take that action again based on the same TOS field data in which case 
the above might cause one to remove the wrong rule!    IpTables is 
essentially a computer program, it is a sequence of events not just a 
unordered list of rules.  For myself, I would take much greater steps in 
the handling of rule insertion than just seeing if that rule exists 
somewhere in the INPUT table.  It may work fine for even the majority of 
iptable sets but it's definately not a universal solution.  The 
universal solution is to not put the extraneous rules in the table in 
the first place and, to do that programmatically, the iptables sets and 
the program altering the sets need to agree upon a structure that allows 
this.