>I think it would be FAR more practical to do an "iptables -t filter -L -n 
>-v --line-numbers", "iptables -t nat -L -n -v --line-numbers", "iptables -t 
>mangle -L -n -v --line-numbers" and parse the output looking for all lines 
>that match POLICY001.  I think this would be an excellent shell or Perl 

Thanks for the suggestion.  I think it is a very good one.

I had not heard of the "-m comment" option before and its not in my revision 
of Oskar Andreasson's Iptables Tutorial (guess I need to refresh my docs).

I am additionally hampered (protected?) by a dictum that scripting is not 
allowed in my little world, so, in the end, I would have to do what you 
describe programmatically (i.e. in a C or C++ program). However, I'm 
certainly not averse to prototyping the functionality in a shell or Perl 
script.  I do that sometimes anyway when I want a quick tunraround as I 
iterate through changes to the logic.

I'll try playing around with that.  When I have something I'll send it to 
you, or is there some sort of common repository where netfilter/iptables 
denizens share stuff like this?

Thanks for your help and advice,

- Andrew

