On 01.06.2010 10:50, jengelh@xxxxxxxxxx wrote:
> On Tuesday 2010-06-01 10:10, Radek Kanovsky wrote:
>
>> Hello,
>>
>> is there some way to get iptables rules in some normalized form?
>> What I mean is normalized or canonical form that is convenient
>> for rule comparison.
>
> Load em up, then use iptables-save and/or iptables -S.
>
>> When I want update rules on firewall or router with thousands of rules
>> I want to do it incrementaly. Reloading whole iptables on small change
>> every ten minutes is not acceptable because it takes very long time
>
> That's because you are not using iptables-restore to do an O(n) reload.
>
> Calling iptables again and again is going to replace tables over and
> over.
>
>> and resets counters defined for accounting purposes. But incremental
>> solution requires some comparable rule form so machine can decide
>> which rule already exists, which is new and which should be deleted.
Besides there's also iptables-xml (not sure when it came up), which can
give you a unified output. Reading man iptables-xml the way back is
possible like:
Conversion from XML to iptables-save format may be done using the
iptables.xslt script and xsltproc, or a custom program using libxsltproc
or similar; in this fashion:
xsltproc iptables.xslt my-iptables.xml | iptables-restore
>>
>> I have prototype in python that does such normalization and is able
>> to output "patch" for existing rules according to given new rules.
>> Script generates -N/-X/-F/-P/-I/-D/-A rules via standard python difflib
>> and is pretty effective and simle (90 lines) but requires rules in
>> comparable form and this is the harder part of my problem (2662 lines).
I bet python has loads of xml libs.
[...]
Best regards
Mart
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
