bugzilla-daemon at bugzilla.netfilter.org
2009-Feb-26 00:44 UTC
[Bug 580] New: iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
http://bugzilla.netfilter.org/show_bug.cgi?id=580
Summary: iptables-restore and iptables-save lack comparison of a
saved ruleset against the currently deployed rules
Product: iptables
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P1
Component: iptables-save
AssignedTo: laforge at netfilter.org
ReportedBy: linus at hadiko.de
For monitoring, debugging and testing apllications, the capability to compare a
saved ruleset (via iptables-save) to the currently active (deployed) set would
be great.
An implementation that gives exit code 0 for no differences and 1 for
everything else would suffice.
I am trying to monitor some basic routers/firewalls using iptables-save &
-restore scripts in Nagios. Comparing the currently deployed ruleset to a saved
state from iptables-save turns out to be a bitch, because iptables-save does
not always write tables in the same order and always includes comments and
counters for chains..
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Mar-29 23:12 UTC
[Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
http://bugzilla.netfilter.org/show_bug.cgi?id=580
jengelh at medozas.de changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge at netfilter.org |jengelh at medozas.de
------- Comment #1 from jengelh at medozas.de 2009-03-30 01:12
------->compare a saved ruleset (via iptables-save) to the currently active
(deployed) set
So, what's wrong with the 'diff' utility?
diff -dpru saved-rules.ipt <(iptables-save) >/dev/null
>because iptables-save does not always write tables in the same order
This is due to the order in /proc/net/ip_table_names, which happens to print
the tables from most-recently-loaded to least-recently-loaded. Guess something
should be done.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules
- [Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules