Rule "labels"?

Taylor, Grant gtaylor at riverviewtech.net
Thu Apr 14 23:02:08 CEST 2005


> Is there a way to associate rules together across tables or chains, 
> possibly with a label?

I can't give you a ""label, but I could give you a ""comment.  ;)  Try looking at a newer kernel (2.6.10?) as it includes the comment match (always returns true but let's you put a free text string in as a comment) which will be displayed when you iptables -L.

> iptables -t filter -A FORWARD -label POLICY001 -i $PUBLIC_IF -d 
> 192.168.168.23 -p tcp --dport 80 -j ACCEPT

iptables -t filter -A FORWARD -m comment --comment 'POLICY001' -i $PUBLIC_IF -p tcp --dport 80 -j ACCEPT

Should be the equivalent of what you are needing.

> 2) Support rule deletion based on -label, e.g.:
> 
> iptables -t filter -D FORWARD -label POLICY001
> 
> Ideally, the delete command would remove all rules in the specified 
> chain with the specified label, or all rules within the specified table, 
> or even across all chains in all tables, but I'm not that greedy...

Well comment will not do that.  I'm not sure that I really want the capability to do so in the iptables command and / or the kernel as this would be more overhead for something that is seldom used.  I think it would be FAR more practical to do an "iptables -t filter -L -n -v --line-numbers", "iptables -t nat -L -n -v --line-numbers", "iptables -t mangle -L -n -v --line-numbers" and parse the output looking for all lines that match POLICY001.  I think this would be an excellent shell or Perl script.  If you would be interested in collaborating on such a project I'd be interested in seeing if I could help.



Grant. . . .



More information about the netfilter mailing list