Native support of counting rules?

Native support of counting rules?

[Aaron Lewis]

Hi,
    I want to know if I could get how many rules are present, i.e in
    filter table?

    Now I do `iptables -L | wc -l` like stuff, I know it's not right,
    but iptables itself doesn't seem to count rules anyway.

    I need this just to let user to know how many rules are present,
    without root privileges, and now being able to view actual rules.

-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: Native support of counting rules?

[Eliezer Croitoru]

Hey Aaron,

I feel kind of odd but this should answer you:
http://linux.die.net/man/8/iptables
www.garron.me/linux/iptables-manual.html

Eliezer

On 1/2/2013 3:48 PM, Aaron Lewis wrote:
> Hi,
>      I want to know if I could get how many rules are present, i.e in
>      filter table?
>
>      Now I do `iptables -L | wc -l` like stuff, I know it's not right,
>      but iptables itself doesn't seem to count rules anyway.
>
>      I need this just to let user to know how many rules are present,
>      without root privileges, and now being able to view actual rules.
>

Re: Native support of counting rules?

[Aaron Lewis]

Just FYI,

I'm not in a hurry .. for now I did a little tweak to the iptables
program and accomplished this.

libiptc isn't in a stable state, right?

On Wed, Jan 2, 2013 at 9:48 PM, Aaron Lewis <the.warl0ck.1989@gmail.com> wrote:
> Hi,
>     I want to know if I could get how many rules are present, i.e in
>     filter table?
>
>     Now I do `iptables -L | wc -l` like stuff, I know it's not right,
>     but iptables itself doesn't seem to count rules anyway.
>
>     I need this just to let user to know how many rules are present,
>     without root privileges, and now being able to view actual rules.
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
> Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E



-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

[SOLVED] Re: Native support of counting rules?

[Aaron Lewis]

Already checked the manual on my system ... there's no counting
support, the only thing relevant was --line-numbers,

My code is here, for anyone who needed

https://raw.github.com/CaledoniaProject/ipt_counting/master/ipt-count.c

I just hope one day such feature would be included officially.


On Wed, Jan 2, 2013 at 9:58 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
> Hey Aaron,
>
> I feel kind of odd but this should answer you:
> http://linux.die.net/man/8/iptables
> www.garron.me/linux/iptables-manual.html
>
> Eliezer
>
>
> On 1/2/2013 3:48 PM, Aaron Lewis wrote:
>>
>> Hi,
>>      I want to know if I could get how many rules are present, i.e in
>>      filter table?
>>
>>      Now I do `iptables -L | wc -l` like stuff, I know it's not right,
>>      but iptables itself doesn't seem to count rules anyway.
>>
>>      I need this just to let user to know how many rules are present,
>>      without root privileges, and now being able to view actual rules.
>>
>



-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: [SOLVED] Re: Native support of counting rules?

[Jan Vales]

Hi,

why dont you use ...
iptables-save | grep "\-A" | wc -l

lg
~Jan


On 03/01/13 15:13, Aaron Lewis wrote:
> Already checked the manual on my system ... there's no counting
> support, the only thing relevant was --line-numbers,
> 
> My code is here, for anyone who needed
> 
> https://raw.github.com/CaledoniaProject/ipt_counting/master/ipt-count.c
> 
> I just hope one day such feature would be included officially.
> 
> 
> On Wed, Jan 2, 2013 at 9:58 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
>> Hey Aaron,
>>
>> I feel kind of odd but this should answer you:
>> http://linux.die.net/man/8/iptables
>> www.garron.me/linux/iptables-manual.html
>>
>> Eliezer
>>
>>
>> On 1/2/2013 3:48 PM, Aaron Lewis wrote:
>>>
>>> Hi,
>>>      I want to know if I could get how many rules are present, i.e in
>>>      filter table?
>>>
>>>      Now I do `iptables -L | wc -l` like stuff, I know it's not right,
>>>      but iptables itself doesn't seem to count rules anyway.
>>>
>>>      I need this just to let user to know how many rules are present,
>>>      without root privileges, and now being able to view actual rules.
>>>
>>
> 
> 
> 

Re: [SOLVED] Re: Native support of counting rules?

[Jan Engelhardt]

On Thursday 2013-01-03 15:56, Jan Vales wrote:

>Hi,
>
>why dont you use ...
>iptables-save | grep "\-A" | wc -l

grep ^-A

But the foremost question is: how is the rule count alone going to be 
useful?

Re: [SOLVED] Re: Native support of counting rules?

[Jan Vales]

On 03/01/13 17:05, Jan Engelhardt wrote:
> On Thursday 2013-01-03 15:56, Jan Vales wrote:
> 
>> Hi,
>>
>> why dont you use ...
>> iptables-save | grep "\-A" | wc -l
> 
> grep ^-A
> 
> But the foremost question is: how is the rule count alone going to be 
> useful?
> 

I dont think its useful at all - I just like stats and wanted to help ;)

Especially with OP's requirement to allow non-root users to view this count.
Therefore know that/when you changed something.

lg
~Jan

Re: [SOLVED] Re: Native support of counting rules?

[Eliezer Croitoru]

Since iptables are kind of static I think a simple script should be good 
enough.

A one liner should do the trick:
tables="filter nat raw mangle";counter="0"; for i in $tables; do 
add=`iptables -t $i -L -n --line-numbers |egrep "^[0-9]+\ " |wc -l`; 
counter=`expr $counter + $add`;done ;echo $counter

You dont need to read the proc file system to know that there are only 
four tables exits in iptables.

Just remind me why do we need another tool on-top all the existing ones?
But I do seem to understand what you mean by that there is no option to 
just count the number of rules in a table.
if you really want to to be used as a command just restrict the script 
to execution only..
This is why permissions do exist.

Best regards,
Eliezer

On 1/3/2013 4:13 PM, Aaron Lewis wrote:
> Already checked the manual on my system ... there's no counting
> support, the only thing relevant was --line-numbers,
>
> My code is here, for anyone who needed
>
> https://raw.github.com/CaledoniaProject/ipt_counting/master/ipt-count.c
>
> I just hope one day such feature would be included officially.
>
>
> On Wed, Jan 2, 2013 at 9:58 PM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
>> Hey Aaron,
>>
>> I feel kind of odd but this should answer you:
>> http://linux.die.net/man/8/iptables
>> www.garron.me/linux/iptables-manual.html
>>
>> Eliezer
>>
>>
>> On 1/2/2013 3:48 PM, Aaron Lewis wrote:
>>>
>>> Hi,
>>>       I want to know if I could get how many rules are present, i.e in
>>>       filter table?
>>>
>>>       Now I do `iptables -L | wc -l` like stuff, I know it's not right,
>>>       but iptables itself doesn't seem to count rules anyway.
>>>
>>>       I need this just to let user to know how many rules are present,
>>>       without root privileges, and now being able to view actual rules.
>>>
>>
>
>
>

-- 
Eliezer

Re: [SOLVED] Re: Native support of counting rules?

[Born Without]

On 04.01.2013 06:02, Eliezer Croitoru wrote:
> Since iptables are kind of static I think a simple script should be good
> enough.
>
> A one liner should do the trick:
> tables="filter nat raw mangle";counter="0"; for i in $tables; do
> add=`iptables -t $i -L -n --line-numbers |egrep "^[0-9]+\ " |wc -l`;
> counter=`expr $counter + $add`;done ;echo $counter
>
> You dont need to read the proc file system to know that there are only
> four tables exits in iptables.

That is not true.
There also is the security table.
And if you have xtables-addons installed, there might also be the 
rawpost table.
But any of those might not be loaded, if compiled in as loadable module.
So you might need to read /proc/net/ip_tables_names to work only on 
existing tables, without loading unwanted/needed ones.

[...]

Re: [SOLVED] Re: Native support of counting rules?

[Born Without]

On 03.01.2013 18:27, netfilter-owner@vger.kernel.org wrote:
> On 03/01/13 17:05, Jan Engelhardt wrote:
>> On Thursday 2013-01-03 15:56, Jan Vales wrote:
>>
>>> Hi,
>>>
>>> why dont you use ...
>>> iptables-save | grep "\-A" | wc -l
>>
>> grep ^-A
>>
>> But the foremost question is: how is the rule count alone going to be
>> useful?
>>
>
> I dont think its useful at all - I just like stats and wanted to help ;)
>
> Especially with OP's requirement to allow non-root users to view this count.
> Therefore know that/when you changed something.

you can swap the whole ruleset, as long as the total count of rules 
stays the same, this test won't detect it, therefore is totally 
unreliable. Nothing but stats, yes.

Re: [SOLVED] Re: Native support of counting rules?

[Eliezer Croitoru]

On 1/4/2013 7:39 AM, Born Without wrote:
> That is not true.
> There also is the security table.
> And if you have xtables-addons installed, there might also be the
> rawpost table.
> But any of those might not be loaded, if compiled in as loadable module.
> So you might need to read /proc/net/ip_tables_names to work only on
> existing tables, without loading unwanted/needed ones.
>
> [...]

You can read For these specific cases.
But still it's not changing the basic concept which you don't need a new 
binary to do all the above just add:
tables=`cat /proc/net/ip_tables_names`

He do have a point that adding this option he seeks is such a simple 
task and can be added into iptables as a simple --rules-count or any 
other directive.

I really don't know why and how this system works so if a binary works 
it's fine by me.

The distance between the Binary file and this script is portability and 
complexity.

Regards,
Eliezer