Re: iptables and iptables-restore syntaxical testing

[Herve Eychenne <rv@wallfire.org>]

On Sat, Aug 21, 2004 at 02:09:55AM +0200, Henrik Nordstrom wrote:

> On Fri, 20 Aug 2004, Herve Eychenne wrote:

> >I just discovered iptables-restore -t today. It is exactly what I was
> >looking for, a mean to validate the iptables-save file format (possibly
> >generated by a tool like wallfire) without having to commit any changes
> >to the kernel.

> Please note that this is not 100% true. It will still trigger loading of 
> the specified table modules if not already loaded.

> Meaning that if you run "iptables-restore -t" on a ruleset including a 
> *nat table then iptable_nat will be loaded if it was not before.

I had already thought about this, and considered it not very harmful,
if documented.
But I had forgotten conntrack, which can be annoying, because of performance
penalty. You're absolutely right.
So the solution might be to track each kernel module insertion and unload
modules that were not inserted before on exit. A little heavy, but I
see no other way to test line validity as much as possible.
And we could even add an option that would test without inserting
kernel modules, if lighter testing is desired.

> >- I'm also looking for a way to restore only a particular table, and I
> > cannot think of an other option than
> > # iptables-restore -t table
> > to do that

> Just limit your input to the table you want to test.

Yes, but when you have a complete ruleset as a base, that requires
sed/awk/perl preprocessing. I agree that is not much of a problem by
itself, but if we can avoid that by adding only a very few lines of
code to iptables-restore, why not doing it?

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/