> > > [root] iptables -h > > > ... > > > --check -C chain Test this packet on chain > > <snip> > > > It's been removed. It has never been implemented, and never will be. v1.27 > > (i.e. current CVS version) no longer contains references to this option. > > Shame it won't be implemented,
Shame would mean that somebody was tasked with the job, accepted it, and failed. This is not the case. Nobody wants to implement it. > I would guess there's the demand for it, That is not a sufficient condition. Given something that is doable, there must come together, in one person, the demand and the skill to do it. > is it hard to code in? Iptables is an arbitrarily extensible framework. To support the feature, each iptables extension would have to implement such a check function, and would have to invent suitable command line parameters for specifying the packet to check. For example, the unclean target would have to implement one such checking option for each and every aspect it checks. You may say "yes, but for me it's OK to test IPs and ports". To that, I would say "ok, then your rules are so simple that it really can't hurt convincing yourself the rules are OK by actually inspecting them". For the situations where an automated check would be called for, things are so complex that a generic builtin checker is already not feasible. To test a more-than-trivial ruleset, you have to shove actual fullfledged IP packets through it, in a suitable controlled environment (routing table et al). Have a look at the iptables testsuite, found in CVS. There you can see how to _properly_ do such checks. There really is only one way: create a ruleset to be checked within a controlled setup (with tunnel interfaces and routing tables chosen for the test), and the synthesize a full packet to be checked, actually route it through, and see what happens. That's what the testsuite does, and there is no less complex replacement possible if you want real checking. The testsuite can be used as a starting point for your personal ruleset checking. You recreate your ruleset in a suitable testsuite setup, and build a testsuite of packets of interest. As nobody knows your needs, that's certainly something you have to do yourself. Hope this helped your understanding. best regards Patrick
