On Tue, 18 Jun 2013, Tim Connors wrote:
iptables-save on rhel5 outputs:
-A RH-Firewall-1-INPUT -s 12.3.4.5/255.255.0.0 -p tcp -m tcp -j ACCEPT
whereas rhel6 outputs
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m tcp -j ACCEPT
Wanting to normalise iptables-save to one form or the other (preferably using the dotted quad netmask), the best I can come up with is a line by line grep (for optimisation perhaps, since a match wont happen often) for /<number> and then extract the number, pass to cidr2mask, and replace /<number> in that line (this is part of a self contained shell script that will be executed on the fly on another host, so I'd rather not rely on anything that isn't already in RHEL, ie no writing a perl sript myself unless it's a one liner perl -e thing).
What flag to iptables-save am I missing where it does this for me?
This seems to be a suitably hacking way of doing it: # build an array of all replacements /0../32 to /0.0.0.0 -> # /255.255.255.255 so that any occurences can quickly be replaced # globally in any required filter cidr2netmaskfilter= for cidr in `seq 0 32` ; do netmask=`cidr2mask "$cidr"` cidr2netmaskfilter="$cidr2netmaskfilter; s!/$cidr !/$netmask!g" done function filter_cidr2mask () { sed "$cidr2netmaskfilter" } And in combination with filter_remove_comment() I can now do silly things like: function filter_remove_comment () { sed 's/ -m comment --comment "[^"]*"//' } if iptables-save | filter_cidr2mask | filter_remove_comment | grep "^-A $chain $ruleremove" > /dev/null ; then verboserun iptables -D $chain $ruleremove modified=true fi Weee! (yes, I'm trying to do something like puppetize our iptables configurations without using puppet, and without using the various puppet iptables patterns which I found very deficient). -- Tim Connors