#263 import of iptables rules with counters

open-rejected
GUI (100)
1
2009-08-19
2009-08-19
No

FWBuilder can import the output of iptables-save. iptables-save can output the packet and byte counters of rules where traffic matched. It would be usefull if fwbuilder can import and visually display these counters along with rules they match for audit purposes of finding rules that are redundant.

Discussion

  • Vadim Kurland

    Vadim Kurland - 2009-08-19
    • priority: 5 --> 1
    • status: open --> open-rejected
     
  • Vadim Kurland

    Vadim Kurland - 2009-08-19

    I do not think this would be very useful. The structure of the rules in fwbuilder GUI is different, one rule in the GUI almost always produces several iptables commands in different chains. Sometimes these commands match the same packet in stages, sometimes they match packets with different addresses or ports. This means counters associated with these iptables commands can not be just added up to produce the counter for the original rule in fwbuilder GUI. In order to make audit like the one you describe useful, one would have to maintain very special structure of rules in fwbuilder to ensure that they always translate into the simplest possible iptables commands. This is very hard to do, as soon as you add another object to "source" or "destination" of any rule, generated iptables script will stop matching original rule exactly and counters lose their meaning.

    Import from iptables-save file is only intended to simplify transition. The program is not designed to support regular import of generated policy back, if you do this, you lose all the advantages of fwbuilder compared to manual editing of the iptables script.

     

Log in to post a comment.