Re: [patch] iptables -L --rules to print command line version of rules

Jan Engelhardt <jengelh@xxxxxxxxxx> · Mon, 12 May 2008 10:37:27 +0200 (CEST)

On Monday 2008-05-12 01:22, Henrik Nordstrom wrote:

>This patch makes iptables -L --rules capable of printing "save" format
>rules, same as iptables-save.
>
>The patch adds the --rules option to ip(6)tables, and moves the
>functions for printing "save" format rules from ip(6)tables-save.c to
>ip(6)tables.c where it may be used by all commands and not only
>ip(6)tables-save.
>
>Not sure if this should be an option to -L/--list, or a new command of
>it's own. Before looking at the code I thought an option to --list would
>be better, but after looking at the code I am no longer sure, perhaps
>it's better as a --list-rules command instead of an option to --list.

  CC       ip6tables.o
../ip6tables.c: In function ‘do_command6’:
../ip6tables.c:1730: error: ‘struct ip6t_entry’ has no member named ‘ip’

Other than that, I do not see a real difference the patch
makes over iptables-save.

10:35 yaguchi:../xtables-dev/obj # iptables -Z; ./iptables -nvL --rules;
[0:0] -A INPUT -i lo -j ACCEPT 
[0:0] -A INPUT -i rtl0 -j ACCEPT 
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A INPUT -i vmnet+ -j ACCEPT 
[0:0] -A INPUT -s 84.213.68.203/32 -i tun+ -p tcp -m tcp --dport 22 -j ACCEPT 
[0:0] -A FORWARD -i rtl0 -j ACCEPT 
[0:0] -A FORWARD -i sis0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A FORWARD -i sis0 -p tcp -j REJECT --reject-with tcp-reset 
[0:0] -A FORWARD -i sis0 -j REJECT --reject-with icmp-port-unreachable 

10:36 yaguchi:../xtables-dev/obj # iptables -Z; iptables-save -ct filter
# Generated by iptables-save v1.4.0.77 on Mon May 12 10:36:14 2008
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -i lo -j ACCEPT 
[0:0] -A INPUT -i rtl0 -j ACCEPT 
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A INPUT -i vmnet+ -j ACCEPT 
[0:0] -A INPUT -s 84.213.68.203/32 -i tun+ -p tcp -m tcp --dport 22 -j ACCEPT 
[0:0] -A FORWARD -i rtl0 -j ACCEPT 
[0:0] -A FORWARD -i sis0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
[0:0] -A FORWARD -i sis0 -p tcp -j REJECT --reject-with tcp-reset 
[0:0] -A FORWARD -i sis0 -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Mon May 12 10:36:14 2008

I would even argue it is inferior to iptables-save (which shows policy
and counters for the chains).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html