From: Radek Kanovsky <rk@dat.cz>
To: netfilter@vger.kernel.org
Subject: Re: iptables rules in comparable form
Date: Tue, 1 Jun 2010 18:47:57 +0200 [thread overview]
Message-ID: <20100601164757.GC15745@q.uh.cz> (raw)
In-Reply-To: <4C050ADE.60403@chello.at>
On Tue, Jun 01, 2010 at 03:27:58PM +0200, Mart Frauenlob wrote:
> > are small but frequent. But primarily both solutions reset couters if
> > used and it is not good for me now. So I ended with script that does
> > incremental updates.
>
> iptables[-save/restore] have a -c switch to save/restore counters.
There is some ISP DB that produces XML config for router. XML config
is transformed to iptables-restore rules and stored in some /etc file.
There are also some hand writen rules in /etc files controlled by admins.
I take all these files and prepare one big file which can be feed to
iptables-restore. Obviously without counters. So I take snapshot
of current ruleset via "iptables-save -c" command. Now I have
two ruleset but I am not able to compare them because some writes
destination ports with service names some with port numbers.
Some versions of iptables-save produces "-j MARK 0x2f" some
"-j MARK --set-mark 0x2f". So "iptables-save -c" is useles for me
unless I have some normalization utility that transforms all rules
to some common comparable form. I have it and I am doing it right this
way. I am asking if someone doesn't do this already or if there is some
more clever solution.
Regards
Radek Kanovsky
prev parent reply other threads:[~2010-06-01 16:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-01 8:10 iptables rules in comparable form Radek Kanovsky
2010-06-01 8:50 ` Jan Engelhardt
2010-06-01 9:18 ` Mart Frauenlob
2010-06-01 11:25 ` Radek Kanovsky
2010-06-01 11:56 ` Jan Engelhardt
2010-06-01 16:03 ` Radek Kanovsky
2010-06-01 18:19 ` Jan Engelhardt
2010-06-01 18:35 ` Radek Kanovsky
2010-06-01 18:01 ` Radek Kanovsky
2010-06-01 18:26 ` Jan Engelhardt
2010-06-01 19:36 ` Radek Kanovsky
2010-06-01 20:29 ` Pieter Smit
2010-06-02 6:17 ` Radek Kanovsky
2010-06-01 13:27 ` Mart Frauenlob
2010-06-01 16:47 ` Radek Kanovsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100601164757.GC15745@q.uh.cz \
--to=rk@dat.cz \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.