Re: remove duplicate rules - Steven M Campbell

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steven M Campbell <Netfilter@SCampbell.net>
To: netfilter@lists.netfilter.org
Subject: Re: remove duplicate rules
Date: Tue, 29 Nov 2005 14:28:06 -0500	[thread overview]
Message-ID: <438CABC6.80309@SCampbell.net> (raw)
In-Reply-To: <200511281750.30511.rob0@gmx.co.uk>

/dev/rob0 wrote:
> On Monday 2005-November-28 11:15, Derick Anderson wrote:
>   
>>>     I think you should manually check the existence of possible
>>>     duplicate before adding rule. Also you can do somethig like:
>>>
>>>     iptables -D INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>>>     iptables -A INPUT -d 192.168.0.2/32 -i eth1 -j DROP
>>>
>>>     Then you will never get duplicates.
>>>     But the first way is more correct.
>>>       
>
>   
>> Just don't use that method remotely.
>>     
>
> Sure, just do them as a single command separated by ";".
>   
It occurs to me that some rules may indeed be present multiple times in 
a table.  For instance VOIP QOS where you regularily take an action 
based on TOS fields on input and later alter the TOS fields and perhaps 
take that action again based on the same TOS field data in which case 
the above might cause one to remove the wrong rule!    IpTables is 
essentially a computer program, it is a sequence of events not just a 
unordered list of rules.  For myself, I would take much greater steps in 
the handling of rule insertion than just seeing if that rule exists 
somewhere in the INPUT table.  It may work fine for even the majority of 
iptable sets but it's definately not a universal solution.  The 
universal solution is to not put the extraneous rules in the table in 
the first place and, to do that programmatically, the iptables sets and 
the program altering the sets need to agree upon a structure that allows 
this.

next prev parent reply	other threads:[~2005-11-29 19:28 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-28 17:15 remove duplicate rules Derick Anderson
2005-11-28 23:50 ` /dev/rob0
2005-11-29 19:28   ` Steven M Campbell [this message]
  -- strict thread matches above, loose matches on Subject: below --
2005-11-26 12:39 amit pasari
2005-11-26 12:55 ` Oleg A. Arkhangelsky
2005-11-28 13:19   ` John A. Sullivan III

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=438CABC6.80309@SCampbell.net \
    --to=netfilter@scampbell.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.