prohibiting iptables to insert a rule twice

prohibiting iptables to insert a rule twice

[Ozgur AKAN]

[-- Attachment #1: Type: text/plain, Size: 627 bytes --]

Hi,
I am working on a patch for iptables.c to prohibit inserting the same 
rule twice. Inserting same rule twice does not cause any problems but 
also is not meaningful.

After the patch iptables will has an option to force the system to 
insert the rule twice but by default it will check whether the rule is 
already inserted or not and will give warning.

I think that checking the rule in the system may take too much time for 
systems with thousands of rules, so an option argument will be a good 
choice.

I wonder why this has not been done before. Please write your 
suggestions and thoughts.

thanks,

-- 
Ozgur Akan


[-- Attachment #2: Type: text/html, Size: 986 bytes --]

Re: prohibiting iptables to insert a rule twice

[Henrik Nordstrom]

On Thu, 6 May 2004, Ozgur AKAN wrote:

> I am working on a patch for iptables.c to prohibit inserting the same 
> rule twice. Inserting same rule twice does not cause any problems but 
> also is not meaningful.

This is only true for terminal rules.

non-terminal rules can be quite meaningful to have more than once in some 
situaions.

Regards
Henrik

Re: prohibiting iptables to insert a rule twice

[Ozgur AKAN]

>non-terminal rules can be quite meaningful to have more than once in some 
>situaions.
>  
>
hmm.. can you please give an example?  I can not imagine when it shall 
be meaningful.

-- 
Ozgur Akan

Re: prohibiting iptables to insert a rule twice

[Henrik Nordstrom]

On Thu, 6 May 2004, Ozgur AKAN wrote:

> hmm.. can you please give an example?  I can not imagine when it shall 
> be meaningful.

One example is when MARK target for the mark to apply for a number of
following rules:

iptables -t mangle -j MARK --set-mark A
[number of rules using mark A]
iptables -t mangle -j MARK --set-mark B
[number of rules using mark B]
iptables -t mangle -j MARK --set-mark A
[more rules using mark A]

I am not saying it is the best design, but still useful.

Regards
Henrik

Re: prohibiting iptables to insert a rule twice

[Ozgur AKAN]

Lets examine this stuation

1 iptables -A INPUT -p tcp -d 10.1.1.2 --dport 80 -j ACCEPT
2 iptables -A INPUT -m fuzzy --lower-limit 100 --upper-limit 1000 -j REJECT
3 iptables -A INPUT -p tcp -d 10.1.1.2 --dport 80 -j ACCEPT

by the example below 3th rule`s byte/packet count  is used to check how 
effective 2nd rule is used!

This is a good example, I hope.

Then inserting same rule afterwards is not meaningful but inserting same 
rule in other order my be meaningful!

-- 
Ozgur Akan

Re: prohibiting iptables to insert a rule twice

[Henrik Nordstrom]

On Thu, 6 May 2004, Ozgur AKAN wrote:

> Then inserting same rule afterwards is not meaningful but inserting same 
> rule in other order my be meaningful!

I agree that same rule immediately afterwards is not meaningful.

but the more advanced functions are used the less possible it is to 
automatically determine from a simple match that two seemingly identical 
rules are duplicates. Here is yet another

iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT
[number of other rules]
iptables -j MARK --set-mark 0x01
[possibly a number of other rules]
iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT

Only if the rule is only using simple matches not depending on other
contexts and terminal targets can it be easily determined that two
identical rules are duplicates and the second can not match.

Regards
Henrik

Re: prohibiting iptables to insert a rule twice

[Ozgur Akan]

>iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT
>[number of other rules]
>iptables -j MARK --set-mark 0x01
>[possibly a number of other rules]
>iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT
>
>  
>
this example clears the situation!

I will work on the rules which are positioned one after another.

thanks for brainstorming...

-- 
Ozgur Akan