feature request

Leonardo Rodrigues Magalhães leolistas at solutti.com.br
Thu Apr 14 20:37:04 CEST 2005

    Guys, how about using the new comment module for making grepping 
easy ???? Instead of grepping the rules parameters, you can include an 
unique ID as a comment in your rule and simply grep for it !!! What do 
you think ??

iptables -I FORWARD -i eth0 -o ppp0 -p tcp -s -d 
-m state --state NEW,ESTABLISHED -m time --timestart 08:00 --timestop 
15:45 --days Mon,Wed,Fri -m comment --comment "my_super_crazy_rule" -j 

[root at correio ~]# iptables -nL FORWARD -v | grep my_super_crazy_rule | wc -l
[root at correio ~]# iptables -nL FORWARD -v | grep 
my_nonexistant_super_crazy_rule | wc -l    
[root at correio ~]#

    Leonardo Rodrigues

Taylor, Grant escreveu:

>> more? Why not return failure and say "rule already loaded?" It`s not a
>> critic, i just want to understand why i can need more than 1 same rule
>> for 1 chain.
> I'm just guessing here but I'd be willing to bet that the actual 
> kernel space of IPTables is more like a database that gets traversed 
> in kernel space.  The iptables command line tool is probably a user 
> land space tool for listing, inserting, updating, and deleting entries 
> in that database.  I'd say that to make things simpler the kernel does 
> not do any checking to make sure that a rule is distinct as there is 
> no harm in having multiple identical rules saver for the fact that it 
> is an additional rule to traverse.  The iptables command line tool was 
> not written to do any checking either as it is not required and this 
> would probably complicate things quite a bit more.
>> So, i`d prefer to write something simular to init scripts, when i have
>> to remember state of each loaded rule: is it loaded or not. But here
>> there are other problems: what if i manually add/delete rule? this
>> should not happen if i have 'my super system', but it`s life... so
>> again i have to reinvent wheel.
> You might try taking a look at iptables-save and iptables-restore 
> respectively.  From the output of iptables-save it looks like all the 
> lines that it generates would go directly after the iptables command.  
> I.e. if you would normally type:
> iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
> You would see the following in the iptables-save output:
> -A FORWARD -i eth0 -o eth1 -j ACCEPT
> I'd be willing to bet that it is easier to parse this output than the 
> normal iptables output for what you are doing.  Take a look at it and 
> see if it will work for you.
> Grant. . . .

More information about the netfilter mailing list