A Proper Syntax For iptables?

A Proper Syntax For iptables?

[caogdin]

[-- Attachment #1: Type: text/plain, Size: 3801 bytes --]

Like many other novices in this list, I've struggled with understanding 
iptables for several months.  Oskar Andreasson's tutorial has been a good 
guide...and, yet, I feel there's much I don't know about iptables works, 
so there's much of iptables/netfilter I'm not using.  Many people here 
have helped me develop my current (vague) understanding, but a successful 
software product (even an "open source" product) can't rely on one-on-one 
handholding with newbies to attract a following.

Is it important to Rusty and other experts in this forum, to see iptables 
more widely adopted?  It is important to see if we could lay plans for 
making iptables easier for people to adopt and use in the future.  If so, 
I've an idea, and I'll try to keep it brief, but I do want to present some 
background.

iptables--to my mind--implements a language of packet handling.  A 
language is defined by 1) syntax, 2) semantics, and 3) pragmatics.  The 
syntax represents the rules of how valid, meaningful statements in the 
language are made; syntax describes the meanings of those statements, and 
pragmatics are the rules of how special situations are handled (e.g., how 
one statement affects another, or how special variations on the syntax 
rules are built).

iptables appears to me to have a broad and ill-defined syntax (e.g., you 
can construct statements that are not meaningful), requires deep 
understanding of packets and routing to effectively apply (i.e., 
ill-defined semantics), and has a massive set of pragmatics (e.g., don't 
filter in PREROUTING or POSTROUTING chains, even though the syntax allows 
it).  That makes the language--and its underlying concepts--hard to 
master.  It also makes the code more complex, both as I read it, and as 
the authors have annotated in source-code comments.  It seems to me that 
much of the complexity in the code itself originates in lack of 
"filtering" of legitimately-structured commands in the syntax.  (Think of 
syntax as a firewall of meaning  :-)  ).

I propose a reversal of that pattern:  I'd like to see if we could, 
collectively, define a robust, formally-defined syntax which virtually 
prohibits people from making statements that are meaningless (i.e., which 
netfilter cannot legitimately interpret).  Then, the semantics become more 
"exposed," in that people just learning can be informed not only what isn't acceptable, but why it's not acceptable which would materially improve error messages to 
provide feedback that educates.  Finally, the remaing (few) pragmatics 
would take care of the special cases that are difficult or impossible to 
represent in syntactic rules.

For starters, I'd suggest we develop a formal syntax that's a legitimate 
subset of what's permitted by current iptables versions today, but which 
experts know represents the practical possibilities.  That would help 
people understand what they can legitimately write on an iptables command line, even though the program will accept 
others.  That may mean, in the short term, having a unique syntax for each 
kind of command.  Then, once that's done, we could then develop a "Version 
2" of the syntax that is even more well-structured and which could serve 
as a guide for developing a future implementation this is more robust, 
more easily documented, meets even more users' requirements, and becomes 
more widely adopted.

Does this sound like a legitimate endeavor of this list (should it be a 
different list)?  Would it be valuable to the developers of 
iptables/netfilter to have this input?  Is it an effort that's worth your 
time?

--Carol Anne 
Carol Anne Ogdin
http://www.net-working.com
530/295-3657
Deep Woods Technology, Inc.
http://www.deepwoods.com
CAOgdin@deepwoods.com
Leveraging technology to restore the soul of the organization

[-- Attachment #2: Type: text/html, Size: 4966 bytes --]

Re: A Proper Syntax For iptables?

[Jim Fleming]

----- Original Message ----- 
From: caogdin@deepwoods.com 
Like many other novices in this list, I've struggled with understanding iptables for several months.
===

It might help if you separate NetFilter from iptables...

http://ipv8.dyn.ee/INFO/Papers/NetFilter/

Re: A Proper Syntax For iptables?

[Sascha Reissner]

From: "Jim Fleming" <JimFleming@ameritech.net>

> ----- Original Message -----
> From: caogdin@deepwoods.com
> Like many other novices in this list, I've struggled with understanding
iptables for several months.
> ===
>
> It might help if you separate NetFilter from iptables...
>
> http://ipv8.dyn.ee/INFO/Papers/NetFilter/

i dont think that any strange ipv4++ (aka ipv5 or whatever nonsense came out
of your mind) might help someone who is not even familiar with the basics of
netfilter..

i would suggest the tutorials and howto's at http://www.netfilter.org

--
mailto: sascha.reissner@toxicnet.de  -  http://www.fo0bar.org
contaminating the internet since 2001

Re: A Proper Syntax For iptables?

[Anders Fugmann]

Jim Fleming wrote:
> ----- Original Message ----- 
> From: caogdin@deepwoods.com 
> Like many other novices in this list, I've struggled with understanding iptables for several months.
Not everyone brags about how dum they are, but you just got off the scale.

/Anders Fugmann

Re: A Proper Syntax For iptables?

[Anders Fugmann]

Anders Fugmann wrote:
> 
> Not everyone brags about how dum they are, but you just got off the scale.
Please do ignore this mail.
I apoligize for the content and for sending it. I read the previous 
posting too quick, and thought this was Jim who wrote it.
I have wirtten to Carol Anne Ogdin directly, and explained the error.

Sorry for the inconvinience.
Anders Fugmann