Re: Unique IDs for rules?

[David Cannings <lists@edeca.net>]

On Monday 19 January 2004 4:03 pm, Henrik Nordstrom wrote:
> On Mon, 19 Jan 2004, David Cannings wrote:
> > I want to do similar with other rules elsewhere in the chain but I
> > can't be sure that they'll always be number 12, for example.  This
> > makes grepping for them a little harder.  Would it be possible to
> > have some sort of "comment" field for each rule so that some sort of
> > token or unique ID for the rule could be inserted.  That way, it
> > would simply be a case of "iptables -L -v | grep 'token'".
>
> There was a dummy match posted some time ago intended for this purpose,
> or at least it was discussed. This adds very little extra overhead
> provided the match is the last match used in the rule.
>
> As an alternative you can always have the target rule in a custom chain
> with a jump in the main chain. This way you always know where to look.
> This adds a about marginally more overhead than the above if done
> correctly.

An excellent idea, thank you.  Doing it this way, I will also be able to 
count bytes in/out of specific ports (such as HTTP) which will let me 
graph even more useless statistics!  One last question, however.  I've 
created a new chain called COUNTER.  In this chain, I've got two rules:

iptables -A COUNTER -i eth0
iptables -A COUNTER -o eth0

To count packets in and out of eth0, respectively.  I then jump to this 
chain from the top of both INPUT and OUTPUT, using a rule:

iptables -I INPUT -j COUNTER
iptables -I OUTPUT -j COUNTER

Is it "safe" to jump like this from both input and output chains to one 
shared chain?  As I am not affecting the destiny of the packet (and seems 
iptables lets me) I feel it must be, however I thought I would check 
first.

Thanks again,

David