Unique IDs for rules?

Discussion:

David Cannings

2004-01-19 13:31:42 UTC

I've taken a look at the iptables manual page but can't seem to see
anything that would suit what I want. I have a number of rules that I
grep for every five minutes, reading the packet/byte count then resetting
their totals by using --replace and --set-counters. At present, I know
that these rules will always be the ones at the top of my INPUT chain, so
I know their IDs will be 1, 2, 3 etc.

I want to do similar with other rules elsewhere in the chain but I can't
be sure that they'll always be number 12, for example. This makes
grepping for them a little harder. Would it be possible to have some
sort of "comment" field for each rule so that some sort of token or
unique ID for the rule could be inserted. That way, it would simply be a
case of "iptables -L -v | grep 'token'".

Whether such an idea would add extra overhead to processing I don't know.
I can also see that adding an extra column to the iptables output could
be troublesome for those with scripts that rely on the present format but
I'm sure it could be accomodated, somehow.

Thanks,

David

Henrik Nordstrom

2004-01-19 16:03:19 UTC

Permalink

Post by David Cannings
I want to do similar with other rules elsewhere in the chain but I can't
be sure that they'll always be number 12, for example. This makes
grepping for them a little harder. Would it be possible to have some
sort of "comment" field for each rule so that some sort of token or
unique ID for the rule could be inserted. That way, it would simply be a
case of "iptables -L -v | grep 'token'".

There was a dummy match posted some time ago intended for this purpose, or
at least it was discussed. This adds very little extra overhead provided
the match is the last match used in the rule.

As an alternative you can always have the target rule in a custom chain
with a jump in the main chain. This way you always know where to look.
This adds a about marginally more overhead than the above if done
correctly.

Regards
Henrik

David Cannings

2004-01-19 17:38:26 UTC

Permalink

Post by Henrik Nordstrom

Post by David Cannings
I want to do similar with other rules elsewhere in the chain but I
can't be sure that they'll always be number 12, for example. This
makes grepping for them a little harder. Would it be possible to
have some sort of "comment" field for each rule so that some sort of
token or unique ID for the rule could be inserted. That way, it
would simply be a case of "iptables -L -v | grep 'token'".

There was a dummy match posted some time ago intended for this purpose,
or at least it was discussed. This adds very little extra overhead
provided the match is the last match used in the rule.
As an alternative you can always have the target rule in a custom chain
with a jump in the main chain. This way you always know where to look.
This adds a about marginally more overhead than the above if done
correctly.

An excellent idea, thank you. Doing it this way, I will also be able to
count bytes in/out of specific ports (such as HTTP) which will let me
graph even more useless statistics! One last question, however. I've
created a new chain called COUNTER. In this chain, I've got two rules:

iptables -A COUNTER -i eth0
iptables -A COUNTER -o eth0

To count packets in and out of eth0, respectively. I then jump to this
chain from the top of both INPUT and OUTPUT, using a rule:

iptables -I INPUT -j COUNTER
iptables -I OUTPUT -j COUNTER

Is it "safe" to jump like this from both input and output chains to one
shared chain? As I am not affecting the destiny of the packet (and seems
iptables lets me) I feel it must be, however I thought I would check
first.

Thanks again,

David

Henrik Nordstrom

2004-01-19 17:52:14 UTC

Permalink

Post by David Cannings
Is it "safe" to jump like this from both input and output chains to one
shared chain?

Yes, but this is now material for the netfilter list, not
netfilter-devel..

Regards
Henrik

Brad Fisher

2004-01-19 18:04:35 UTC

Permalink

Post by Henrik Nordstrom

Post by David Cannings
I want to do similar with other rules elsewhere in the chain but I
can't be sure that they'll always be number 12, for example. This
makes grepping for them a little harder. Would it be possible to
have some sort of "comment" field for each rule so that some sort of
token or unique ID for the rule could be inserted. That way, it
would simply be a case of "iptables -L -v | grep 'token'".

There was a dummy match posted some time ago intended for this purpose,
or at least it was discussed. This adds very little extra overhead
provided the match is the last match used in the rule.

FWIW: I did post a patch for a "comment" match a while back. Splitting your
rules into separate chains is probably the way to go for your situation, but
I thought I'd mention it. If you're still interested, I'd be glad to send
you a copy of the patch.

-Brad