Re: feature request

[`VL <vl.homutov@gmail.com>]

On Apr 8, 2005 4:00 PM, Timothy Earl <mehimx@gmail.com> wrote:
> Hi,
>
> I think to solve your problem you could work around it by using a series of
> awk grep and sed commands along with iptables -vL to test if your rule is
> loaded, presently that is how i get my current ip etc..
>
> man awk, man grep, man sed
>
> for example:
>
> EXTIP="`/sbin/ifconfig ppp0 | grep 'inet adr' | awk '{print $2}' | sed -e
> 's/.*$
>
> Regards,
>
> Tim

I do know that i can work around my problem with thousands of ways =)
. I was surprised that it is impossible with iptables just to test if
rule was loaded, i was sure option existed. One more question i have:
what is the reason to add rules, that already exists in chain more and
more? Why not return failure and say "rule already loaded?" It`s not a
critic, i just want to understand why i can need more than 1 same rule
for 1 chain.

Second, grepping & awking around output of iptables with certain
options doesn`t seem 'reliable' to me. I have to compare string like:

OUTPUT -o eth0 -p tcp -s 192.168.127.29 -d 192.168.127.30 -j ACCEPT
to:
0     0 ACCEPT     tcp  --  *      eth0    192.168.127.29
192.168.127.30

Not impossible, but not very pleasant. The more complex rule i will
have, the more pain. Additional parameters, for example mac addresses,
tcp flags - what will happen to my rule matching, based on shell, if i
add couple of new options to my rule?

So, i`d prefer to write something simular to init scripts, when i have
to remember state of each loaded rule: is it loaded or not. But here
there are other problems: what if i manually add/delete rule? this
should not happen if i have 'my super system', but it`s life... so
again i have to reinvent wheel.

And all of this can be solved by simple( well,i think so =))
modification. We can add -test option or we can return false while
trying to load rule, that already exists in the chain.