On Tue, 18 Jun 2013, Tim Connors wrote:
>
> iptables-save on rhel5 outputs:
>
> -A RH-Firewall-1-INPUT -s 12.3.4.5/255.255.0.0 -p tcp -m tcp -j ACCEPT
>
> whereas rhel6 outputs
>
> -A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m tcp -j ACCEPT
>
> Wanting to normalise iptables-save to one form or the other (preferably
> using the dotted quad netmask), the best I can come up with is a line by
> line grep (for optimisation perhaps, since a match wont happen often) for
> /<number> and then extract the number, pass to cidr2mask, and replace
> /<number> in that line (this is part of a self contained shell script that
> will be executed on the fly on another host, so I'd rather not rely on
> anything that isn't already in RHEL, ie no writing a perl sript myself
> unless it's a one liner perl -e thing).
>
> What flag to iptables-save am I missing where it does this for me?
This seems to be a suitably hacking way of doing it:
# build an array of all replacements /0../32 to /0.0.0.0 ->
# /255.255.255.255 so that any occurences can quickly be replaced
# globally in any required filter
cidr2netmaskfilter=
for cidr in `seq 0 32` ; do
netmask=`cidr2mask "$cidr"`
cidr2netmaskfilter="$cidr2netmaskfilter; s!/$cidr !/$netmask!g"
done
function filter_cidr2mask () {
sed "$cidr2netmaskfilter"
}
And in combination with filter_remove_comment() I can now do silly things
like:
function filter_remove_comment () {
sed 's/ -m comment --comment "[^"]*"//'
}
if iptables-save | filter_cidr2mask | filter_remove_comment | grep "^-A $chain
$ruleremove" > /dev/null ; then
verboserun iptables -D $chain $ruleremove
modified=true
fi
Weee!
(yes, I'm trying to do something like puppetize our iptables
configurations without using puppet, and without using the various puppet
iptables patterns which I found very deficient).
--
Tim Connors
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
