From mboxrd@z Thu Jan  1 00:00:00 1970
From: Herve Eychenne <rv@wallfire.org>
Subject: Re: iptables and iptables-restore syntaxical testing
Date: Sun, 22 Aug 2004 21:53:17 +0200
Sender: netfilter-devel-admin@lists.netfilter.org
Message-ID: <20040822195317.GH4883@eychenne.org>
References: <20040820165725.GG4883@eychenne.org> <Pine.LNX.4.61.0408210203240.8001@filer.marasystems.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: Netfilter Development <netfilter-devel@lists.netfilter.org>
Return-path: <netfilter-devel-admin@lists.netfilter.org>
To: Henrik Nordstrom <hno@marasystems.com>
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.61.0408210203240.8001@filer.marasystems.com>
Errors-To: netfilter-devel-admin@lists.netfilter.org
List-Help: <mailto:netfilter-devel-request@lists.netfilter.org?subject=help>
List-Post: <mailto:netfilter-devel@lists.netfilter.org>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=subscribe>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter-devel>,
	<mailto:netfilter-devel-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: <https://lists.netfilter.org/pipermail/netfilter-devel/>
List-Id: netfilter-devel.vger.kernel.org

On Sat, Aug 21, 2004 at 02:09:55AM +0200, Henrik Nordstrom wrote:

> On Fri, 20 Aug 2004, Herve Eychenne wrote:

> >I just discovered iptables-restore -t today. It is exactly what I was
> >looking for, a mean to validate the iptables-save file format (possibl=
y
> >generated by a tool like wallfire) without having to commit any change=
s
> >to the kernel.

> Please note that this is not 100% true. It will still trigger loading o=
f=20
> the specified table modules if not already loaded.

> Meaning that if you run "iptables-restore -t" on a ruleset including a=20
> *nat table then iptable_nat will be loaded if it was not before.

I had already thought about this, and considered it not very harmful,
if documented.
But I had forgotten conntrack, which can be annoying, because of performa=
nce
penalty. You're absolutely right.
So the solution might be to track each kernel module insertion and unload
modules that were not inserted before on exit. A little heavy, but I
see no other way to test line validity as much as possible.
And we could even add an option that would test without inserting
kernel modules, if lighter testing is desired.

> >- I'm also looking for a way to restore only a particular table, and I
> > cannot think of an other option than
> > # iptables-restore -t table
> > to do that

> Just limit your input to the table you want to test.

Yes, but when you have a complete ruleset as a base, that requires
sed/awk/perl preprocessing. I agree that is not much of a problem by
itself, but if we can avoid that by adding only a very few lines of
code to iptables-restore, why not doing it?

 Herve

--=20
 _
(=B0=3D  Herv=E9 Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/