From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: feature request
Date: Thu, 14 Apr 2005 15:37:04 -0300 [thread overview]
Message-ID: <425EB850.1060506@solutti.com.br> (raw)
In-Reply-To: <425EB3F5.5020003@riverviewtech.net>
Guys, how about using the new comment module for making grepping
easy ???? Instead of grepping the rules parameters, you can include an
unique ID as a comment in your rule and simply grep for it !!! What do
you think ??
iptables -I FORWARD -i eth0 -o ppp0 -p tcp -s 12.34.56.78 -d 10.20.30.40
-m state --state NEW,ESTABLISHED -m time --timestart 08:00 --timestop
15:45 --days Mon,Wed,Fri -m comment --comment "my_super_crazy_rule" -j
ACCEPT
[root@correio ~]# iptables -nL FORWARD -v | grep my_super_crazy_rule | wc -l
1
[root@correio ~]# iptables -nL FORWARD -v | grep
my_nonexistant_super_crazy_rule | wc -l
0
[root@correio ~]#
Sincerily,
Leonardo Rodrigues
Taylor, Grant escreveu:
>> more? Why not return failure and say "rule already loaded?" It`s not a
>> critic, i just want to understand why i can need more than 1 same rule
>> for 1 chain.
>
>
> I'm just guessing here but I'd be willing to bet that the actual
> kernel space of IPTables is more like a database that gets traversed
> in kernel space. The iptables command line tool is probably a user
> land space tool for listing, inserting, updating, and deleting entries
> in that database. I'd say that to make things simpler the kernel does
> not do any checking to make sure that a rule is distinct as there is
> no harm in having multiple identical rules saver for the fact that it
> is an additional rule to traverse. The iptables command line tool was
> not written to do any checking either as it is not required and this
> would probably complicate things quite a bit more.
>
>> So, i`d prefer to write something simular to init scripts, when i have
>> to remember state of each loaded rule: is it loaded or not. But here
>> there are other problems: what if i manually add/delete rule? this
>> should not happen if i have 'my super system', but it`s life... so
>> again i have to reinvent wheel.
>
>
> You might try taking a look at iptables-save and iptables-restore
> respectively. From the output of iptables-save it looks like all the
> lines that it generates would go directly after the iptables command.
> I.e. if you would normally type:
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> You would see the following in the iptables-save output:
>
> -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> I'd be willing to bet that it is easier to parse this output than the
> normal iptables output for what you are doing. Take a look at it and
> see if it will work for you.
>
>
>
> Grant. . . .
>
>
next prev parent reply other threads:[~2005-04-14 18:37 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 16:50 feature request `VL
2005-04-14 18:18 ` Taylor, Grant
2005-04-14 18:37 ` Leonardo Rodrigues Magalhães [this message]
2005-04-14 18:52 ` Taylor, Grant
-- strict thread matches above, loose matches on Subject: below --
2024-06-20 12:58 Feature Request Clement Sello Tsetsa
2024-06-20 13:29 ` rsbecker
2016-10-27 21:55 feature request John Rood
2016-10-27 22:01 ` Stefan Beller
2016-10-27 22:05 ` John Rood
2016-10-27 22:24 ` John Rood
2016-10-27 22:27 ` Junio C Hamano
2016-10-27 22:48 ` John Rood
2016-10-27 22:51 ` Junio C Hamano
2016-10-27 23:16 ` John Rood
2016-10-27 22:30 ` Stefan Beller
2016-10-27 22:44 ` John Rood
2016-10-27 22:46 ` Junio C Hamano
2016-10-27 23:24 ` David Lang
2016-10-28 8:49 ` Johannes Schindelin
2016-10-28 12:54 ` Philip Oakley
2013-02-18 18:52 Jay Townsend
2013-02-18 19:54 ` James Nylen
2013-02-18 20:45 ` Jeff King
2013-02-19 3:26 ` Drew Northup
2013-02-19 22:27 ` Shawn Pearce
2012-10-16 11:36 Angelo Borsotti
2012-10-16 12:15 ` Andrew Ardill
2012-10-16 17:27 ` Angelo Borsotti
2012-10-16 23:30 ` Sitaram Chamarty
2012-10-17 0:00 ` Andrew Ardill
2012-10-16 13:34 ` Christian Thaeter
2010-02-09 8:43 Feature Request Stefan *St0fF* Huebner
2010-02-09 12:28 ` Michael Tokarev
2010-02-09 14:19 ` Stefan Hübner
2008-09-09 9:49 l5ynlwlcyku9kvaqc2jf.j.HadVabVobs
2003-08-23 7:51 Pentium 4m kernel 2.4.21 Martin Klinkigt (multimedia-test)
2003-08-23 9:49 ` Viktor Radnai
2003-08-23 10:50 ` Feature request (was: Pentium 4m kernel 2.4.21) Viktor Radnai
2003-08-26 23:10 ` Dominik Brodowski
2003-08-27 17:16 ` Feature request Viktor Radnai
2003-08-28 13:50 ` Dominik Brodowski
2003-08-28 16:04 ` Daniel Thor Kristjansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=425EB850.1060506@solutti.com.br \
--to=leolistas@solutti.com.br \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.