Unique IDs for rules?

Unique IDs for rules?

[David Cannings]

I've taken a look at the iptables manual page but can't seem to see 
anything that would suit what I want.  I have a number of rules that I 
grep for every five minutes, reading the packet/byte count then resetting 
their totals by using --replace and --set-counters.  At present, I know 
that these rules will always be the ones at the top of my INPUT chain, so 
I know their IDs will be 1, 2, 3 etc.

I want to do similar with other rules elsewhere in the chain but I can't 
be sure that they'll always be number 12, for example.  This makes 
grepping for them a little harder.  Would it be possible to have some 
sort of "comment" field for each rule so that some sort of token or 
unique ID for the rule could be inserted.  That way, it would simply be a 
case of "iptables -L -v | grep 'token'".  

Whether such an idea would add extra overhead to processing I don't know.  
I can also see that adding an extra column to the iptables output could 
be troublesome for those with scripts that rely on the present format but 
I'm sure it could be accomodated, somehow.

Thanks,

David

Re: Unique IDs for rules?

[Henrik Nordstrom]

On Mon, 19 Jan 2004, David Cannings wrote:

> I want to do similar with other rules elsewhere in the chain but I can't 
> be sure that they'll always be number 12, for example.  This makes 
> grepping for them a little harder.  Would it be possible to have some 
> sort of "comment" field for each rule so that some sort of token or 
> unique ID for the rule could be inserted.  That way, it would simply be a 
> case of "iptables -L -v | grep 'token'".  

There was a dummy match posted some time ago intended for this purpose, or 
at least it was discussed. This adds very little extra overhead provided 
the match is the last match used in the rule.

As an alternative you can always have the target rule in a custom chain
with a jump in the main chain. This way you always know where to look. 
This adds a about marginally more overhead than the above if done 
correctly.

Regards
Henrik

Re: Unique IDs for rules?

[David Cannings]

On Monday 19 January 2004 4:03 pm, Henrik Nordstrom wrote:
> On Mon, 19 Jan 2004, David Cannings wrote:
> > I want to do similar with other rules elsewhere in the chain but I
> > can't be sure that they'll always be number 12, for example.  This
> > makes grepping for them a little harder.  Would it be possible to
> > have some sort of "comment" field for each rule so that some sort of
> > token or unique ID for the rule could be inserted.  That way, it
> > would simply be a case of "iptables -L -v | grep 'token'".
>
> There was a dummy match posted some time ago intended for this purpose,
> or at least it was discussed. This adds very little extra overhead
> provided the match is the last match used in the rule.
>
> As an alternative you can always have the target rule in a custom chain
> with a jump in the main chain. This way you always know where to look.
> This adds a about marginally more overhead than the above if done
> correctly.

An excellent idea, thank you.  Doing it this way, I will also be able to 
count bytes in/out of specific ports (such as HTTP) which will let me 
graph even more useless statistics!  One last question, however.  I've 
created a new chain called COUNTER.  In this chain, I've got two rules:

iptables -A COUNTER -i eth0
iptables -A COUNTER -o eth0

To count packets in and out of eth0, respectively.  I then jump to this 
chain from the top of both INPUT and OUTPUT, using a rule:

iptables -I INPUT -j COUNTER
iptables -I OUTPUT -j COUNTER

Is it "safe" to jump like this from both input and output chains to one 
shared chain?  As I am not affecting the destiny of the packet (and seems 
iptables lets me) I feel it must be, however I thought I would check 
first.

Thanks again,

David

Re: Unique IDs for rules?

[Henrik Nordstrom]

On Mon, 19 Jan 2004, David Cannings wrote:

> Is it "safe" to jump like this from both input and output chains to one 
> shared chain?

Yes, but this is now material for the netfilter list, not 
netfilter-devel..

Regards
Henrik

Re: Unique IDs for rules?

[Brad Fisher]

David Cannings wrote:

> On Monday 19 January 2004 4:03 pm, Henrik Nordstrom wrote:
> > On Mon, 19 Jan 2004, David Cannings wrote:
> > > I want to do similar with other rules elsewhere in the chain but I
> > > can't be sure that they'll always be number 12, for example.  This
> > > makes grepping for them a little harder.  Would it be possible to
> > > have some sort of "comment" field for each rule so that some sort of
> > > token or unique ID for the rule could be inserted.  That way, it
> > > would simply be a case of "iptables -L -v | grep 'token'".
> >
> > There was a dummy match posted some time ago intended for this purpose,
> > or at least it was discussed. This adds very little extra overhead
> > provided the match is the last match used in the rule.
> >

FWIW: I did post a patch for a "comment" match a while back.  Splitting your
rules into separate chains is probably the way to go for your situation, but
I thought I'd mention it.  If you're still interested, I'd be glad to send
you a copy of the patch.

-Brad