How I would like to enhance iptables
Posted 12-04-2012 at 04:44 PM by Skaperen
There are cases where I want to change the iptables rapdily and reliably. But these cases don't really change any rule order. They only change just the IP addresses of a rule (or gang of rules).
Here's my idea. Designate some IP addresses for this special purpose, such as 0.1.X.Y where X.Y represents 65536 possible address objects. The address objects are stored in the kernel with a means for root or designated users to access them. There would be a /proc entry for this, with subdirectory X and file Y. Root can create the X/Y file like any file is created (touch it, open it for writing) or destroy it with rm (remove, unlink). Root can change its ownership to allow another user to do other operations.
This object is a collection of IP addresses and subnets. Write a line beginning with "+" and an IP address/subnet, and that address/subnet is added to the object. Use "-" to remove an address/subnet from the object (it only removes subnets as added ... it does not carve into existing ones).
So we have a one to many address mapping.
For iptable rules that have as their IP address one of these 0.1.X.Y addresses, when comparing some packet address to the rule address, in this case the comparison will check to see if any address/subnet matches/contains the address being compared. So if "+8/8" is written to the object, address "8.8.8.8" would match, as would "8.8.4.4".
The idea here is it is a fast means to add/delete IP addresses or subnets without actually changing or rebuilding any iptable rules. A similar means should be provided for IPv6 for some designated IPv6 address block.
Here's my idea. Designate some IP addresses for this special purpose, such as 0.1.X.Y where X.Y represents 65536 possible address objects. The address objects are stored in the kernel with a means for root or designated users to access them. There would be a /proc entry for this, with subdirectory X and file Y. Root can create the X/Y file like any file is created (touch it, open it for writing) or destroy it with rm (remove, unlink). Root can change its ownership to allow another user to do other operations.
This object is a collection of IP addresses and subnets. Write a line beginning with "+" and an IP address/subnet, and that address/subnet is added to the object. Use "-" to remove an address/subnet from the object (it only removes subnets as added ... it does not carve into existing ones).
So we have a one to many address mapping.
For iptable rules that have as their IP address one of these 0.1.X.Y addresses, when comparing some packet address to the rule address, in this case the comparison will check to see if any address/subnet matches/contains the address being compared. So if "+8/8" is written to the object, address "8.8.8.8" would match, as would "8.8.4.4".
The idea here is it is a fast means to add/delete IP addresses or subnets without actually changing or rebuilding any iptable rules. A similar means should be provided for IPv6 for some designated IPv6 address block.
Total Comments 1
Comments
-
Netfilter modules like recent and hashlimit provide you with a /proc interface to manage the sets of IP addresses you load into these buckets but in terms of versatility and management they are crude compared to what ipset (http://ipset.netfilter.org) offers.
*As far as I'm concerned the whole root vs unprivileged is a non-issue (Sudo).Posted 12-07-2012 at 09:41 AM by unSpawn