From: Herve Eychenne <rv@wallfire.org>
To: Netfilter Development <netfilter-devel@lists.netfilter.org>
Subject: iptables and iptables-restore syntaxical testing
Date: Fri, 20 Aug 2004 18:57:25 +0200 [thread overview]
Message-ID: <20040820165725.GG4883@eychenne.org> (raw)
Hi,
I just discovered iptables-restore -t today. It is exactly what I was
looking for, a mean to validate the iptables-save file format (possibly
generated by a tool like wallfire) without having to commit any changes
to the kernel.
If I only discovered it today, it's because I looked at the code: this
option was not documented in the manpage.
However, I think that the letter choosed for this option (-t) is not very
accurate:
- I'm also looking for a way to restore only a particular table, and I
cannot think of an other option than
# iptables-restore -t table
to do that
- This kind of test option should (I need it) be transposed to iptables
command as well (it's quite useful to test the syntax and the proper
loading/availability of matches without applying real changes).
And of course, iptables -t switch is already taken... It would be
better for homogeneity if both commands had the same option letter.
What I would suggest is:
- implementing this test mechanism at a higher level (in iptc library) by
adding a nocommit variable to the structure, and get iptables and
iptables-restore to take advantage of it (I guess it's the only
proper way to do it for iptables as libiptc itself already calls
iptc_commit internally at several places, so preventing iptables.c to
call iptc_commit would not be enough).
- adding a common switch to these two commands (iptables and
iptables-restore), one that is not already taken by iptables, of
course. Why not -S, --simulate ?
As far as the backward compability with iptables-restore is concerned,
I don't think turning -t/--test into -S/--simulate and adding -t/--table
would be very harmful, as I suspect the number of people using this
undocumented feature can be counted on the fingers of my hand.
Conclusion: if no one stands up and shouts against this proposal
within the next two days, expect a patch very soon.
Herve
--
_
(°= Hervé Eychenne
//)
v_/_ WallFire project: http://www.wallfire.org/
next reply other threads:[~2004-08-20 16:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-20 16:57 Herve Eychenne [this message]
2004-08-21 0:09 ` iptables and iptables-restore syntaxical testing Henrik Nordstrom
2004-08-22 19:53 ` Herve Eychenne
2004-08-25 8:27 ` Martin Josefsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040820165725.GG4883@eychenne.org \
--to=rv@wallfire.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.