---------- Original Message ----------------------------------
From: Joel Newkirk <netfilter@xxxxxxxxxx>
Reply-To: netfilter@xxxxxxxxxx
Date: Tue, 1 Apr 2003 03:41:48 -0500
>I haven't started a new thread here in ages, and this is
something I've
>been toying with for a while. With the recent announcement of a
>feature-freeze on iptables 1.2.8, this seemed a reasonable time
to start
>this thread. (targeting later releases, obviously, and hoping to
spark
>some constructive discussion :^)
>
>I was curious to hear what people might have as a 'wishlist' for
>iptables/netfilter capabilities. Every once in a while something
comes
>up here that simply doesn't seem to have a good solution.
>
>My hope is that many of our personal wishes may already be
possible, and
>by voicing them someone who has a solution may post it. And for
any
>that don't presently have an answer, perhaps someone will be
inspired to
>create one.
>
>Personally I have four:
>
>1 - revamped LOG entry format, especially cleaning up MAC.
I also want this feature.
>
>2 - completely separate netfilter logging from kernel log
streams. (not
>just redirecting infrequently-used kernel streams, but actual
dedicated
>netfilter streams)
Ohh yes!!! This is also "a must have". An extended to this yould
be to log to diffrent files for diffrent rules. Something like
iptables -A INPUT -s bad.host.net --log-
file /var/log/netfilter/bad.hosts -j LOG
>
>3 - Ability to match "original DestinationIP" of a DNATted packet
in
>subsequent chains. Useful with a single physical interface but
multiple
>IPs bound to it.
>
>4 - addition of support for a REM field in rules. Would do
nothing
>whatsoever except print the specified REMark text at the end of
the rule
>in -L listings. Something like:
>iptables -A INPUT -p tcp --dport 22 -s a.b.c.d -j ACCEPT -REM
JoelSSH
>So that a -L listing could be easier & quicker to decipher
sometimes. It
>would also allow "iptables -L -v -n | grep Joel" to list only
rules, in
>all chains, with "Joel" in the comment.
This is also god :-)
Another thing to the wishlist (for me, that is)
When listing(-L) with verbose (-v) I wish to remove some fileds.
Today I must use the awk command to do this. Resulting in very
long command.
Something like:
iptables -L -v -opt -source +REM
would remove the opt and source fields and; add the REM field if
not default when listing with verbose.
>
>
>j
>
/Klintan
________________________________________________________________
Sent med Stib Webmail, en tjänst på klintan.se
