Le 08/06/2012 14:33, Stefan Keller a écrit :
not sure to understand what you mean.
But you have the TRACE target who can help you.
"This target marks packets so that the kernel will log every rule which
match the packets as those traverse the tables, chains, rules."
Hope this help.
Hi Jean-Philippe
Thanks for your reply!
We did some tests with the TRACE target. But if you use
this target, then you need real traffic that matches the
rule base - meaning an off-line analysis is not possible.
Further, we realized that it is quite hard to simulate
a packet that would match the FORWARD chain (we did not
make it that it was accepted by the system).
As a side note:
We run systems with up to 50,000 concurrent sessions
and an iptables rule base with few thousands of lines.
If we activate the TRACE target, we will get a huge
number of log entries!
I look for a tool that could provide the matching rules
without real traffic - just with the information how the
packet would look like (a virtual packet).
For this purpose, one could use the output of iptables-save
or there might be an interface I'm not aware of provided
by netfilter.
This tool would not show me what rules currently match.
It is more a hypothetical question: What rule(s) would match
if I had a packet like this?
Hope this helps to clarify my request.
Best regards
Stefan Keller
Hi,
i understand better what you mean by "virtual".
I'm not aware of such tool or target for iptables.
But you do not have to enable TRACE for all your sessions, only
the informations you are looking for.
Regards.
--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@xxxxxxxxxxxxxx
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
