Rule "labels"?

Rule "labels"?

[Andrew Kraslavsky]

Hello,

Is there a way to associate rules together across tables or chains, possibly 
with a label?

Note: As used here, a "policy" refers to an abstraction of one or more 
iptables rules (and possibly, but not germane here, routing rules).

The reason I am seeking this is so that I can tag all rules that are used to 
enforce a higher level policy such that, if that policy is later rescinded, 
I can identify all of its constituent iptables rules by their label and 
delete those rules.

Otherwise, I have to remember the exact contents of each rule or track their 
indices within each chain so that I can delete each rule on that basis.  
That's not hard to do if a human is managing the rule set directly, but is a 
bit cumbersome to code into a utility that abstracts rules into higher level 
(i.e. more end user friendly) "policies".

Here's a simple example which will hopefully help illustrate what I am 
trying to do.

Setting the stage:
1) The default is to drop packets in the FORWARD chain.
2) There is a private local network using a non-Internet subnet (e.g. 
192.168.168.0/24).
3) The public network interface, represented by variable $PUBLIC_IF, is 
connected to the Internet.
4) SNAT (or sometimes MASQUERADE) is used to NAT traffic that originates 
from the private network and is bound to the Internet.

The example policy:

The user enables a policy that is stated something along the lines of 
"Expose HTTP server at local host <local IP address> to the Internet" and 
specifies local IP address 192.168.168.23 for this policy.

This equates to the following 2 rules, one in the 'nat' table and the other 
in the 'filter' table:

iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80 -j DNAT --to 
192.168.168.23

iptables -t filter -A FORWARD -i $PUBLIC_IF -d 192.168.168.23 -p tcp --dport 
80 -j ACCEPT

Later, the user decides to disable the policy which means deleting both of 
the rules above.  Since I cannot rely on knowing the indices of each rule 
within its chain, I must delete them by passing the original arguments of 
each rule to the iptables delete command.

If I could label both rules with a common value and then do a chain by chain 
delete based on the label, my programmatic life would be simpler.  I'm 
envisioning something like the following:

1) Include '-label' argument with the add rule command, e.g.:

iptables -t filter -A FORWARD -label POLICY001 -i $PUBLIC_IF -d 
192.168.168.23 -p tcp --dport 80 -j ACCEPT

2) Support rule deletion based on -label, e.g.:

iptables -t filter -D FORWARD -label POLICY001

Ideally, the delete command would remove all rules in the specified chain 
with the specified label, or all rules within the specified table, or even 
across all chains in all tables, but I'm not that greedy...

Suggestions?

Thanks,

- Andrew

PS I guess such a label would be kind of like MARKing, but for rules instead 
of packets.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Re: Rule "labels"?

[Taylor, Grant]

> Is there a way to associate rules together across tables or chains, 
> possibly with a label?

I can't give you a ""label, but I could give you a ""comment.  ;)  Try looking at a newer kernel (2.6.10?) as it includes the comment match (always returns true but let's you put a free text string in as a comment) which will be displayed when you iptables -L.

> iptables -t filter -A FORWARD -label POLICY001 -i $PUBLIC_IF -d 
> 192.168.168.23 -p tcp --dport 80 -j ACCEPT

iptables -t filter -A FORWARD -m comment --comment 'POLICY001' -i $PUBLIC_IF -p tcp --dport 80 -j ACCEPT

Should be the equivalent of what you are needing.

> 2) Support rule deletion based on -label, e.g.:
> 
> iptables -t filter -D FORWARD -label POLICY001
> 
> Ideally, the delete command would remove all rules in the specified 
> chain with the specified label, or all rules within the specified table, 
> or even across all chains in all tables, but I'm not that greedy...

Well comment will not do that.  I'm not sure that I really want the capability to do so in the iptables command and / or the kernel as this would be more overhead for something that is seldom used.  I think it would be FAR more practical to do an "iptables -t filter -L -n -v --line-numbers", "iptables -t nat -L -n -v --line-numbers", "iptables -t mangle -L -n -v --line-numbers" and parse the output looking for all lines that match POLICY001.  I think this would be an excellent shell or Perl script.  If you would be interested in collaborating on such a project I'd be interested in seeing if I could help.



Grant. . . .

Re: Rule "labels"?

[Stephen J. McCracken]

Andrew Kraslavsky wrote:
[snip]
> This equates to the following 2 rules, one in the 'nat' table and the 
> other in the 'filter' table:
> 
> iptables -t nat -A PREROUTING -i $PUBLIC_IF -p tcp --dport 80 -j DNAT 
> --to 192.168.168.23
> 
> iptables -t filter -A FORWARD -i $PUBLIC_IF -d 192.168.168.23 -p tcp 
> --dport 80 -j ACCEPT
> 
> Later, the user decides to disable the policy which means deleting both 
> of the rules above.  Since I cannot rely on knowing the indices of each 
[snip]
> 
> Ideally, the delete command would remove all rules in the specified 
> chain with the specified label, or all rules within the specified table, 
> or even across all chains in all tables, but I'm not that greedy...
> 
> Suggestions?

It might not be as elegant as you are looking for, but I do something 
similar with adding/deleting rules when VPNs come up/go down.  I have 
been simply generating rules in a file and sourcing that file in the 
VPN_up script.  I then have that file saved for the case when the VPN 
goes down and just do a simple sed script to change all adds to deletes 
and source that file in the VPN_down script.  You don't have the problem 
of finding rules dynamically as you have the file that generated the 
rules hanging around and can easily reverse the process changing "-A" to 
"-D".

Like I said, maybe not elegant, but it works.

sjm

Re: Rule "labels"?

[Andrew Kraslavsky]

sjm,

Thanks for the suggestion.  The "no scripting" limitation that is imposed on 
me makes Grant's suggestion seem more of a match (<-- alert! unintentional, 
and very poor, pun) to my needs but I'll certainly give this a try too if I 
run into trouble with the -m comment approach he suggested.

I guess I should have mentioned that "no scripting" thing in my original 
post - sorry about that.

Hmmm... Now that I think about it, VPN failover support is another task on 
my assignment list.  Perhaps I'll use your idea to help solve that little 
(*shudder*) problem.

Thanks,

- Andrew

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Re: Rule "labels"?

[Andrew Kraslavsky]

Grant,

>I think it would be FAR more practical to do an "iptables -t filter -L -n 
>-v --line-numbers", "iptables -t nat -L -n -v --line-numbers", "iptables -t 
>mangle -L -n -v --line-numbers" and parse the output looking for all lines 
>that match POLICY001.  I think this would be an excellent shell or Perl 
>script.

Thanks for the suggestion.  I think it is a very good one.

I had not heard of the "-m comment" option before and its not in my revision 
of Oskar Andreasson's Iptables Tutorial (guess I need to refresh my docs).

I am additionally hampered (protected?) by a dictum that scripting is not 
allowed in my little world, so, in the end, I would have to do what you 
describe programmatically (i.e. in a C or C++ program). However, I'm 
certainly not averse to prototyping the functionality in a shell or Perl 
script.  I do that sometimes anyway when I want a quick tunraround as I 
iterate through changes to the logic.

I'll try playing around with that.  When I have something I'll send it to 
you, or is there some sort of common repository where netfilter/iptables 
denizens share stuff like this?

Thanks for your help and advice,

- Andrew

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/