bugzilla-daemon at netfilter.org
2013-May-17  15:44 UTC
[Bug 699] please add new options to iptables-restore to continue on error and suppress error output
https://bugzilla.netfilter.org/show_bug.cgi?id=699
Pablo Neira Ayuso <pablo at netfilter.org> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|                            |WONTFIX
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-05-17
17:44:48 CEST ---
(In reply to comment #1)> Some of those ip ranges may already exist in the filter table before
iptables
> restore is executed. 
You don't explain why those rules are already there and who is adding those.
There are many reasons why iptables-restore may fail to load a rule, not only
duplicates. It may lead to having load an inconsistent rule-set. I'm
reticent
to add this feature, it's resolving a very specific use-case in which some
important information is missing.
-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-May-18  21:31 UTC
[Bug 699] please add new options to iptables-restore to continue on error and suppress error output
https://bugzilla.netfilter.org/show_bug.cgi?id=699 --- Comment #3 from kavulix <linuxed7 at yahoo.com> 2013-05-18 23:31:27 CEST --- I was attempting to develop an ipblocker application that would manage large lists of ip ranges (all of the lists from bluetack.co.uk). It would enable users to enable/disable individual ranges of ip addresses or entire lists. Unfortunately the development stalled because iptables lacked this very important feature. Let's say that a user has a default list of iptables rules applied each time they log in. For example, the default configuration when using the firestarter application. The ipblocker application can't flush the rules and start over each time it needs to add or remove rules from iptables because there may be other pre-existing rules. And it's not feasible to remove and then add rules one at a time because it would be incredibly slow. Depending on the lists enabled by the user it could amount to literally hundreds of thousands of ip ranges. The only way to manage that many rules efficiently is with the iptables-restore command. Unfortunately each ip range rule has to be deleted first before it's added to avoid duplicates. If you attempt to delete a rule that doesn't exist then iptables-restore exits which prevents the rest of the commands from executing. You can download a pre-alpha version at the link below. Not every feature is functional but you can download and enable/disable the bluetack lists assuming that the attached patch has been applied. http://sourceforge.net/projects/gorget/files/ -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-May-19  00:39 UTC
[Bug 699] please add new options to iptables-restore to continue on error and suppress error output
https://bugzilla.netfilter.org/show_bug.cgi?id=699 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-05-19 02:39:28 CEST --- (In reply to comment #3)> I was attempting to develop an ipblocker application that would manage large > lists of ip ranges (all of the lists from bluetack.co.uk). It would enable > users to enable/disable individual ranges of ip addresses or entire lists.By reading this, it looks to me that ipset [1] is the right framework to implement such application. [1] http://ipset.netfilter.org/> Let's say that a user has a default list of iptables rules applied each time > they log in. For example, the default configuration when using the firestarter > application. The ipblocker application can't flush the rules and start over > each time it needs to add or remove rules from iptables because there may be > other pre-existing rules.iptables-restore not always flushes the exising rule-set, you can use: -n, --noflush don't flush the previous contents of the table. If not specified, iptables-restore flushes (deletes) all previ? ous contents of the respective table. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.