gtaylor at riverviewtech.net
Thu Apr 14 23:02:08 CEST 2005
> Is there a way to associate rules together across tables or chains,
> possibly with a label?
I can't give you a ""label, but I could give you a ""comment. ;) Try looking at a newer kernel (2.6.10?) as it includes the comment match (always returns true but let's you put a free text string in as a comment) which will be displayed when you iptables -L.
> iptables -t filter -A FORWARD -label POLICY001 -i $PUBLIC_IF -d
> 192.168.168.23 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -m comment --comment 'POLICY001' -i $PUBLIC_IF -p tcp --dport 80 -j ACCEPT
Should be the equivalent of what you are needing.
> 2) Support rule deletion based on -label, e.g.:
> iptables -t filter -D FORWARD -label POLICY001
> Ideally, the delete command would remove all rules in the specified
> chain with the specified label, or all rules within the specified table,
> or even across all chains in all tables, but I'm not that greedy...
Well comment will not do that. I'm not sure that I really want the capability to do so in the iptables command and / or the kernel as this would be more overhead for something that is seldom used. I think it would be FAR more practical to do an "iptables -t filter -L -n -v --line-numbers", "iptables -t nat -L -n -v --line-numbers", "iptables -t mangle -L -n -v --line-numbers" and parse the output looking for all lines that match POLICY001. I think this would be an excellent shell or Perl script. If you would be interested in collaborating on such a project I'd be interested in seeing if I could help.
Grant. . . .
More information about the netfilter