Guys, how about using the new comment module for making grepping easy ???? Instead of grepping the rules parameters, you can include an unique ID as a comment in your rule and simply grep for it !!! What do you think ??
iptables -I FORWARD -i eth0 -o ppp0 -p tcp -s 12.34.56.78 -d 10.20.30.40 -m state --state NEW,ESTABLISHED -m time --timestart 08:00 --timestop 15:45 --days Mon,Wed,Fri -m comment --comment "my_super_crazy_rule" -j ACCEPT
[root@correio ~]# iptables -nL FORWARD -v | grep my_super_crazy_rule | wc -l
1
[root@correio ~]# iptables -nL FORWARD -v | grep my_nonexistant_super_crazy_rule | wc -l 0
[root@correio ~]#
Sincerily, Leonardo Rodrigues
Taylor, Grant escreveu:
more? Why not return failure and say "rule already loaded?" It`s not a critic, i just want to understand why i can need more than 1 same rule for 1 chain.
I'm just guessing here but I'd be willing to bet that the actual kernel space of IPTables is more like a database that gets traversed in kernel space. The iptables command line tool is probably a user land space tool for listing, inserting, updating, and deleting entries in that database. I'd say that to make things simpler the kernel does not do any checking to make sure that a rule is distinct as there is no harm in having multiple identical rules saver for the fact that it is an additional rule to traverse. The iptables command line tool was not written to do any checking either as it is not required and this would probably complicate things quite a bit more.
So, i`d prefer to write something simular to init scripts, when i have to remember state of each loaded rule: is it loaded or not. But here there are other problems: what if i manually add/delete rule? this should not happen if i have 'my super system', but it`s life... so again i have to reinvent wheel.
You might try taking a look at iptables-save and iptables-restore respectively. From the output of iptables-save it looks like all the lines that it generates would go directly after the iptables command. I.e. if you would normally type:
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
You would see the following in the iptables-save output:
-A FORWARD -i eth0 -o eth1 -j ACCEPT
I'd be willing to bet that it is easier to parse this output than the normal iptables output for what you are doing. Take a look at it and see if it will work for you.
Grant. . . .