From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: "Leonardo Rodrigues Magalhães" <leolistas@solutti.com.br>
Cc: netfilter@lists.netfilter.org
Subject: Re: feature request
Date: Thu, 14 Apr 2005 13:52:35 -0500 [thread overview]
Message-ID: <425EBBF3.9090904@riverviewtech.net> (raw)
In-Reply-To: <425EB850.1060506@solutti.com.br>
>
> Guys, how about using the new comment module for making grepping easy
> ???? Instead of grepping the rules parameters, you can include an unique
> ID as a comment in your rule and simply grep for it !!! What do you
> think ??
I've considered doing that my self for other projects. But seeing as how I did not have any real solution / method for doing so already I did not want to propose it yet. I'm thinking of using it for more of a ""system that would manage all your rules, not unlike SysV Init scripts, for you. You would then go through that interface and work with iptables. I know that what ever I end up coming up with I'll end up using some sort of numeric identifiers for the rules to be matched against so it is easier to machine parse. I'll probably end up using a comment of something like this ':<numeric ID>:<free text comment>'. This way the machine parseable identifier is there in the form of ':<numeric ID>:' where it will be easy to find on the line. The <numeric ID> will be at the start of the comments and starting at about the same column on screen while still allowing for free text comments (
or as free as comment will allow it's self, just a bit shorter) thus making it easier to
search for a specific <numeric ID> visually, vs having it at the end of the comment which would make location of the <numeric ID> of the rule depend on the length of the free text. Seeing as how comment is a relatively new match extension and not all systems have it in the kernel this system would be valid for new and patched kernels only. Where as something that would parse the output of iptables(|-save) would be more backwards compatible.
I personally am EXTENSIVELY using the comment match extension, as well as planing on using TARPIT targets (that is a sticky subject un to it's self. Pun intended. :P )
Grant. . . .
prev parent reply other threads:[~2005-04-14 18:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 16:50 feature request `VL
2005-04-14 18:18 ` Taylor, Grant
2005-04-14 18:37 ` Leonardo Rodrigues Magalhães
2005-04-14 18:52 ` Taylor, Grant [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=425EBBF3.9090904@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=leolistas@solutti.com.br \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox