From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ozgur AKAN Subject: prohibiting iptables to insert a rule twice Date: Thu, 06 May 2004 11:47:05 +0300 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <4099FB89.3000604@aiqa.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------060601060603040003040009" Return-path: To: "netfilter-devel@lists.netfilter.org" Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org This is a multi-part message in MIME format. --------------060601060603040003040009 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Hi, I am working on a patch for iptables.c to prohibit inserting the same rule twice. Inserting same rule twice does not cause any problems but also is not meaningful. After the patch iptables will has an option to force the system to insert the rule twice but by default it will check whether the rule is already inserted or not and will give warning. I think that checking the rule in the system may take too much time for systems with thousands of rules, so an option argument will be a good choice. I wonder why this has not been done before. Please write your suggestions and thoughts. thanks, -- Ozgur Akan --------------060601060603040003040009 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Hi,
I am working on a patch for iptables.c to prohibit inserting the same rule twice. Inserting same rule twice does not cause any problems but also is not meaningful.

After the patch iptables will has an option to force the system to insert the rule twice but by default it will check whether the rule is already inserted or not and will give warning.

I think that checking the rule in the system may take too much time for systems with thousands of rules, so an option argument will be a good choice.

I wonder why this has not been done before. Please write your suggestions and thoughts.

thanks,

-- 
Ozgur Akan

--------------060601060603040003040009-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 6 May 2004 13:21:28 +0200 (CEST) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: References: <4099FB89.3000604@aiqa.com> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "netfilter-devel@lists.netfilter.org" Return-path: To: Ozgur AKAN In-Reply-To: <4099FB89.3000604@aiqa.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Thu, 6 May 2004, Ozgur AKAN wrote: > I am working on a patch for iptables.c to prohibit inserting the same > rule twice. Inserting same rule twice does not cause any problems but > also is not meaningful. This is only true for terminal rules. non-terminal rules can be quite meaningful to have more than once in some situaions. Regards Henrik From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ozgur AKAN Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 06 May 2004 14:38:03 +0300 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <409A239B.2040409@aiqa.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 7bit Cc: "netfilter-devel@lists.netfilter.org" Return-path: To: Henrik Nordstrom In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org >non-terminal rules can be quite meaningful to have more than once in some >situaions. > > hmm.. can you please give an example? I can not imagine when it shall be meaningful. -- Ozgur Akan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 6 May 2004 13:41:54 +0200 (CEST) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: References: <409A239B.2040409@aiqa.com> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "netfilter-devel@lists.netfilter.org" Return-path: To: Ozgur AKAN In-Reply-To: <409A239B.2040409@aiqa.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Thu, 6 May 2004, Ozgur AKAN wrote: > hmm.. can you please give an example? I can not imagine when it shall > be meaningful. One example is when MARK target for the mark to apply for a number of following rules: iptables -t mangle -j MARK --set-mark A [number of rules using mark A] iptables -t mangle -j MARK --set-mark B [number of rules using mark B] iptables -t mangle -j MARK --set-mark A [more rules using mark A] I am not saying it is the best design, but still useful. Regards Henrik From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ozgur AKAN Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 06 May 2004 14:48:49 +0300 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <409A2621.1020109@aiqa.com> References: <409A239B.2040409@aiqa.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 7bit Cc: Henrik Nordstrom , "netfilter-devel@lists.netfilter.org" Return-path: To: Ozgur AKAN In-Reply-To: <409A239B.2040409@aiqa.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Lets examine this stuation 1 iptables -A INPUT -p tcp -d 10.1.1.2 --dport 80 -j ACCEPT 2 iptables -A INPUT -m fuzzy --lower-limit 100 --upper-limit 1000 -j REJECT 3 iptables -A INPUT -p tcp -d 10.1.1.2 --dport 80 -j ACCEPT by the example below 3th rule`s byte/packet count is used to check how effective 2nd rule is used! This is a good example, I hope. Then inserting same rule afterwards is not meaningful but inserting same rule in other order my be meaningful! -- Ozgur Akan From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 6 May 2004 14:33:48 +0200 (CEST) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: References: <409A2621.1020109@aiqa.com> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: "netfilter-devel@lists.netfilter.org" Return-path: To: Ozgur AKAN In-Reply-To: <409A2621.1020109@aiqa.com> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Thu, 6 May 2004, Ozgur AKAN wrote: > Then inserting same rule afterwards is not meaningful but inserting same > rule in other order my be meaningful! I agree that same rule immediately afterwards is not meaningful. but the more advanced functions are used the less possible it is to automatically determine from a simple match that two seemingly identical rules are duplicates. Here is yet another iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT [number of other rules] iptables -j MARK --set-mark 0x01 [possibly a number of other rules] iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT Only if the rule is only using simple matches not depending on other contexts and terminal targets can it be easily determined that two identical rules are duplicates and the second can not match. Regards Henrik From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ozgur Akan Subject: Re: prohibiting iptables to insert a rule twice Date: Thu, 06 May 2004 15:56:03 +0300 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <409A35E3.2080706@aiqa.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: "netfilter-devel@lists.netfilter.org" Return-path: To: Henrik Nordstrom In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org >iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT >[number of other rules] >iptables -j MARK --set-mark 0x01 >[possibly a number of other rules] >iptables -m mark --mark 0x01 -d 10.0.0.1 -j ACCEPT > > > this example clears the situation! I will work on the rules which are positioned one after another. thanks for brainstorming... -- Ozgur Akan