Feature request: ability to test if rule is loaded

Timothy Earl mehimx at gmail.com
Fri Apr 8 14:00:16 CEST 2005


I think to solve your problem you could work around it by using a series of
awk grep and sed commands along with iptables -vL to test if your rule is
loaded, presently that is how i get my current ip etc..

man awk, man grep, man sed

for example:

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet adr' | awk '{print $2}' | sed -e



> -----Message d'origine-----
> De : netfilter-bounces at lists.netfilter.org [mailto:netfilter-
> bounces at lists.netfilter.org] De la part de `VL
> Envoyé : vendredi 8 avril 2005 09:00
> À : netfilter at lists.netfilter.org
> Objet : Feature request: ability to test if rule is loaded
> Hello all.
> I recently started to configure my firewall and decided to write some
> more advanced shell scripts to make loading of rules easier. My task
> was to have a config which looks like:
> loadrule client/ssh on/off
> loadrule server/sshd on/off
> and i want the ability to run script, which will go thorough this list
> and will load rules that are not yet loaded, and remove rules, that
> marked off, if they are loaded.
> client/ssh is a file, that contains something like this:
> NAME="SSH Client"
> MY_SSH_SERVER1="xxx.xxx.xxx.xxx"
> RULE[0]="OUTPUT -o eth0 -p tcp...."
> RULE[1]="INPUT -i eth0 ...."
> When i want to add rule, my function loadrule runs iptables -A
> RULE[0,1...], if i want to disable rule, i call iptables -D
> RULE[0,1...]
> But! How do i test if rule was loaded? If i delete rules, i get an
> error if rule is not loaded, if i add rules, it just added next in
> chain.
> So, it would be nice to have new iptables option, i think -T , which
> will act like -D with one exception: it will not delete rule, just
> return true if rule exists in chain, and false otherwise.
> It seems to me that it is very easy to add, and that it will be
> usefull for system administrators.
> For example, if we can`t turn of firewall on critical server,
> administrator have to manually review list of rules and delete some,
> he decided to remove by some reasons. With my approach he just changes
> 1 line in readable config to off, and asks script to reload config.
> What do you think ?

More information about the netfilter mailing list