Re: [PATCH] Drop iptables-save comments and chain counters from iptables inventory.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jun 6, 2011 at 17:09, Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote:
> On Mon, Jun 06, 2011 at 05:53:18PM -0400, seth vidal wrote:
>> > > b/c it seems to be behaving on mine.
>> >
>> > You're not seeing these timestamps or counters ?
>>
>> I see the timestamps - I have no problem with that part of your patch.
>>
>> I don't see the counters.
>>
>
> Strange.. anybody else on this list care to chime in? Is it really just
> me? AFAIK we're running with quite standard RHEL5/6 iptables configs..
>
> RHEL5:
> ----------------------------------------------
> # /sbin/iptables-save
> # Generated by iptables-save v1.3.5 on Tue Jun  7 00:04:37 2011
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [7617151:2762434660]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Tue Jun  7 00:04:37 2011
> # grep -v ^# /etc/sysconfig/iptables-config |grep -v ^$
> IPTABLES_MODULES="ip_conntrack_netbios_ns"
> IPTABLES_MODULES_UNLOAD="yes"
> IPTABLES_SAVE_ON_STOP="no"
> IPTABLES_SAVE_ON_RESTART="no"
> IPTABLES_SAVE_COUNTER="no"
> IPTABLES_STATUS_NUMERIC="yes"
> IPTABLES_STATUS_VERBOSE="no"
> IPTABLES_STATUS_LINENUMBERS="yes"
> ----------------------------------------------
>
> RHEL6
> ----------------------------------------------
> # iptables-save
> # Generated by iptables-save v1.4.7 on Tue Jun  7 00:03:26 2011
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [573260:64263533]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s 192.168.11.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> # Completed on Tue Jun  7 00:03:26 2011
> # grep -v ^# /etc/sysconfig/iptables-config |grep -v ^$
> IPTABLES_MODULES=""
> IPTABLES_MODULES_UNLOAD="yes"
> IPTABLES_SAVE_ON_STOP="no"
> IPTABLES_SAVE_ON_RESTART="no"
> IPTABLES_SAVE_COUNTER="no"
> IPTABLES_STATUS_NUMERIC="yes"
> IPTABLES_STATUS_VERBOSE="no"
> IPTABLES_STATUS_LINENUMBERS="yes"
> ----------------------------------------------
>
>
>   -jf

I see the same output to 'iptables-save' as jf posted above.

If I add the -c to the command I see counters prefixed on each line.

[root@lordsi ~]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Jun  6 22:14:33 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [266442075:53123504585]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
51234 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
51235 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Jun  6 22:14:33 2011

[root@lordsi ~]# iptables-save -c
# Generated by iptables-save v1.3.5 on Mon Jun  6 22:14:31 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [266441955:53123478462]
:RH-Firewall-1-INPUT - [0:0]
[236254897:51756787195] -A INPUT -j RH-Firewall-1-INPUT
[0:0] -A FORWARD -j RH-Firewall-1-INPUT
[6527402:391644394] -A RH-Firewall-1-INPUT -p tcp -m state --state NEW
-m tcp --dport 51234 -j ACCEPT
[933:55832] -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
--dport 51235 -j ACCEPT
[15447:4314379] -A RH-Firewall-1-INPUT -i lo -j ACCEPT
[85529624:4880963213] -A RH-Firewall-1-INPUT -p icmp -m icmp
--icmp-type any -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p esp -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p ah -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
[0:0] -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
[144084633:46465883253] -A RH-Firewall-1-INPUT -m state --state
RELATED,ESTABLISHED -j ACCEPT
[70:5128] -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp
--dport 22 -j ACCEPT
[96788:13920996] -A RH-Firewall-1-INPUT -j REJECT --reject-with
icmp-host-prohibited
COMMIT
# Completed on Mon Jun  6 22:14:31 2011

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux