From: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
To: "Taylor, Grant" <gtaylor@riverviewtech.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: feature request
Date: Thu, 14 Apr 2005 15:37:04 -0300 [thread overview]
Message-ID: <425EB850.1060506@solutti.com.br> (raw)
In-Reply-To: <425EB3F5.5020003@riverviewtech.net>
Guys, how about using the new comment module for making grepping
easy ???? Instead of grepping the rules parameters, you can include an
unique ID as a comment in your rule and simply grep for it !!! What do
you think ??
iptables -I FORWARD -i eth0 -o ppp0 -p tcp -s 12.34.56.78 -d 10.20.30.40
-m state --state NEW,ESTABLISHED -m time --timestart 08:00 --timestop
15:45 --days Mon,Wed,Fri -m comment --comment "my_super_crazy_rule" -j
ACCEPT
[root@correio ~]# iptables -nL FORWARD -v | grep my_super_crazy_rule | wc -l
1
[root@correio ~]# iptables -nL FORWARD -v | grep
my_nonexistant_super_crazy_rule | wc -l
0
[root@correio ~]#
Sincerily,
Leonardo Rodrigues
Taylor, Grant escreveu:
>> more? Why not return failure and say "rule already loaded?" It`s not a
>> critic, i just want to understand why i can need more than 1 same rule
>> for 1 chain.
>
>
> I'm just guessing here but I'd be willing to bet that the actual
> kernel space of IPTables is more like a database that gets traversed
> in kernel space. The iptables command line tool is probably a user
> land space tool for listing, inserting, updating, and deleting entries
> in that database. I'd say that to make things simpler the kernel does
> not do any checking to make sure that a rule is distinct as there is
> no harm in having multiple identical rules saver for the fact that it
> is an additional rule to traverse. The iptables command line tool was
> not written to do any checking either as it is not required and this
> would probably complicate things quite a bit more.
>
>> So, i`d prefer to write something simular to init scripts, when i have
>> to remember state of each loaded rule: is it loaded or not. But here
>> there are other problems: what if i manually add/delete rule? this
>> should not happen if i have 'my super system', but it`s life... so
>> again i have to reinvent wheel.
>
>
> You might try taking a look at iptables-save and iptables-restore
> respectively. From the output of iptables-save it looks like all the
> lines that it generates would go directly after the iptables command.
> I.e. if you would normally type:
>
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> You would see the following in the iptables-save output:
>
> -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> I'd be willing to bet that it is easier to parse this output than the
> normal iptables output for what you are doing. Take a look at it and
> see if it will work for you.
>
>
>
> Grant. . . .
>
>
next prev parent reply other threads:[~2005-04-14 18:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 16:50 feature request `VL
2005-04-14 18:18 ` Taylor, Grant
2005-04-14 18:37 ` Leonardo Rodrigues Magalhães [this message]
2005-04-14 18:52 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=425EB850.1060506@solutti.com.br \
--to=leolistas@solutti.com.br \
--cc=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox