From mboxrd@z Thu Jan  1 00:00:00 1970
From: Herve Eychenne <rv@wallfire.org>
Subject: iptables and iptables-restore syntaxical testing
Date: Fri, 20 Aug 2004 18:57:25 +0200
Sender: netfilter-devel-admin@lists.netfilter.org
Message-ID: <20040820165725.GG4883@eychenne.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Return-path: <netfilter-devel-admin@lists.netfilter.org>
To: Netfilter Development <netfilter-devel@lists.netfilter.org>
Content-Disposition: inline
Errors-To: netfilter-devel-admin@lists.netfilter.org
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter-devel/>
List-Id: netfilter-devel.vger.kernel.org

 Hi,

I just discovered iptables-restore -t today. It is exactly what I was
looking for, a mean to validate the iptables-save file format (possibly
generated by a tool like wallfire) without having to commit any changes
to the kernel.
If I only discovered it today, it's because I looked at the code: this
option was not documented in the manpage.
However, I think that the letter choosed for this option (-t) is not very
accurate:
- I'm also looking for a way to restore only a particular table, and I
  cannot think of an other option than
  # iptables-restore -t table
  to do that
- This kind of test option should (I need it) be transposed to iptables
  command as well (it's quite useful to test the syntax and the proper
  loading/availability of matches without applying real changes).
  And of course, iptables -t switch is already taken... It would be
  better for homogeneity if both commands had the same option letter.

What I would suggest is:
- implementing this test mechanism at a higher level (in iptc library) by
  adding a nocommit variable to the structure, and get iptables and
  iptables-restore to take advantage of it (I guess it's the only
  proper way to do it for iptables as libiptc itself already calls
  iptc_commit internally at several places, so preventing iptables.c to
  call iptc_commit would not be enough).
- adding a common switch to these two commands (iptables and
  iptables-restore), one that is not already taken by iptables, of
  course. Why not -S, --simulate ?

As far as the backward compability with iptables-restore is concerned,
I don't think turning -t/--test into -S/--simulate and adding -t/--table
would be very harmful, as I suspect the number of people using this
undocumented feature can be counted on the fingers of my hand.

Conclusion: if no one stands up and shouts against this proposal
within the next two days, expect a patch very soon.

 Herve

--=20
 _
(=B0=3D  Herv=E9 Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/