18 Jun
2013
18 Jun
'13
6:27 p.m.
iptables-save on rhel5 outputs:
-A RH-Firewall-1-INPUT -s 12.3.4.5/255.255.0.0 -p tcp -m tcp -j ACCEPT
whereas rhel6 outputs
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m tcp -j ACCEPT
Wanting to normalise iptables-save to one form or the other (preferably
using the dotted quad netmask), the best I can come up with is a line by
line grep (for optimisation perhaps, since a match wont happen often) for
/<number> and then extract the number, pass to cidr2mask, and replace
/<number> in that line (this is part of a self contained shell script that
will be executed on the fly on another host, so I'd rather not rely on
anything that isn't already in RHEL, ie no writing a perl sript myself
unless it's a one liner perl -e thing).
What flag to iptables-save am I missing where it does this for me?
--
Tim Connors
18 Jun
18 Jun
7:04 p.m.
On Tue, 18 Jun 2013, Tim Connors wrote:
iptables-save on rhel5 outputs:
-A RH-Firewall-1-INPUT -s 12.3.4.5/255.255.0.0 -p tcp -m tcp -j ACCEPT
whereas rhel6 outputs
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m tcp -j ACCEPT
Wanting to normalise iptables-save to one form or the other (preferably
using the dotted quad netmask), the best I can come up with is a line by
line grep (for optimisation perhaps, since a match wont happen often) for
/<number> and then extract the number, pass to cidr2mask, and replace
/<number> in that line (this is part of a self contained shell script that
will be executed on the fly on another host, so I'd rather not rely on
anything that isn't already in RHEL, ie no writing a perl sript myself
unless it's a one liner perl -e thing).
What flag to iptables-save am I missing where it does this for me?
This seems to be a suitably hacking way of doing it:
# build an array of all replacements /0../32 to /0.0.0.0 ->
# /255.255.255.255 so that any occurences can quickly be replaced
# globally in any required filter
cidr2netmaskfilter=
for cidr in `seq 0 32` ; do
netmask=`cidr2mask "$cidr"`
cidr2netmaskfilter="$cidr2netmaskfilter; s!/$cidr !/$netmask!g"
done
function filter_cidr2mask () {
sed "$cidr2netmaskfilter"
}
And in combination with filter_remove_comment() I can now do silly things
like:
function filter_remove_comment () {
sed 's/ -m comment --comment "[^"]*"//'
}
if iptables-save | filter_cidr2mask | filter_remove_comment | grep "^-A $chain
$ruleremove" > /dev/null ; then
verboserun iptables -D $chain $ruleremove
modified=true
fi
Weee!
(yes, I'm trying to do something like puppetize our iptables
configurations without using puppet, and without using the various puppet
iptables patterns which I found very deficient).
--
Tim Connors
8:30 p.m.
On 2013-06-18 19:04, Tim Connors wrote:
[...]
This seems to be a suitably hacking way of doing it:
# build an array of all replacements /0../32 to /0.0.0.0 ->
# /255.255.255.255 so that any occurences can quickly be replaced
# globally in any required filter
cidr2netmaskfilter=
for cidr in `seq 0 32` ; do
netmask=`cidr2mask "$cidr"`
cidr2netmaskfilter="$cidr2netmaskfilter; s!/$cidr !/$netmask!g"
done
function filter_cidr2mask () {
sed "$cidr2netmaskfilter"
}
[...]
Hi Tim,
A couple of pointers: I'd discourage the use of seq[1]. If you're using
bash, which I assume you are given that's available on all RHEL
instances, I'd use {0..32} instead of `seq 0 32`. I also advice using
$(cidr2mask "$cidr") rather than `cidr2mask "$cidr"`; The $()
notation
is newer and more predictable, especially with regard to quoting.
Also, what *is* cidr2mask? I've not seen it anywhere before.
Further, your sed appears to be expecting a space after "$cidr", but
isn't putting one back after "$netmask". That could give you grief.
Finally, were I writing this myself (in the absense of cidr2mask), I'd
probably do something like the following:
| filter_cidr2mask(){
| cidr=(
| 0.0.0.0
| 128.0.0.0
| 192.0.0.0
| 224.0.0.0
| 240.0.0.0
| 248.0.0.0
| 252.0.0.0
| 254.0.0.0
| 255.0.0.0
| 255.128.0.0
| 255.192.0.0
| 255.224.0.0
| 255.240.0.0
| 255.248.0.0
| 255.252.0.0
| 255.254.0.0
| 255.255.0.0
| 255.255.128.0
| 255.255.192.0
| 255.255.224.0
| 255.255.240.0
| 255.255.248.0
| 255.255.252.0
| 255.255.254.0
| 255.255.255.0
| 255.255.255.128
| 255.255.255.192
| 255.255.255.224
| 255.255.255.240
| 255.255.255.248
| 255.255.255.252
| 255.255.255.254
| 255.255.255.255
| )
|
| sedExp=
| for ((i=0; i<=32; i++)); do
| sedExp+="s!/\<$i\>!/${cidr[$i]}!g; "
| done
|
| sed "$sedExp"
| }
1. <greybot> seq(1) is a highly nonstandard program used to count to 10
in silly Linux howtos. Use one of these: for ((i = 1; i <=
10; i++)); do ... (bash 2.04+/zsh/ksh93), i=; while ((i++
<= 10)); do ... (bash/mksh/ksh88), i=; while [ $(( ( i +=
1 ) <= 10 )) -ne 0 ]; do ... (POSIX). Don't do this: for
x in $(...); do ... Don't do this: for i in {1..10}; do
...
--
Regards,
Matthew Cengia
10:08 p.m.
On Tue, 18 Jun 2013, Matthew Cengia wrote:
On 2013-06-18 19:04, Tim Connors wrote:
[...]
Never heard of that before. Definitely not POSIX (gut feeling here - no
POSIX reference manual handy, but it doesn't work in dash). Never seen
seq not work (assumed it was posix - I even saw it work on HP-UX of all
things. Heck, it probably even works on SCO).
This seems to be a suitably hacking way of doing
it:
# build an array of all replacements /0../32 to /0.0.0.0 ->
# /255.255.255.255 so that any occurences can quickly be replaced
# globally in any required filter
cidr2netmaskfilter=
for cidr in `seq 0 32` ; do
netmask=`cidr2mask "$cidr"`
cidr2netmaskfilter="$cidr2netmaskfilter; s!/$cidr !/$netmask!g"
done
function filter_cidr2mask () {
sed "$cidr2netmaskfilter"
}
[...]
Hi Tim,
A couple of pointers: I'd discourage the use of seq[1]. If you're using
bash, which I assume you are given that's available on all RHEL
instances, I'd use {0..32} instead of `seq 0 32`. I also advice using
$(cidr2mask "$cidr") rather than `cidr2mask "$cidr"`; The $()
notation
is newer and more predictable, especially with regard to quoting.
Yeah, trying to get out of the habit (` is still prettier for small
snippets), however I thought $(prog) is not POSIX (I'm straying well away
from posix in this program anyway), whereas ` is. (how do you google for
"`" and "$(" ?)
Also, what *is* cidr2mask? I've not seen it
anywhere before.
You own favourite shell function. Not the one I originally wrote which
seemed to work for the common cases until I threw a non-class address at
it while testing months after initial deploy (woops!) (meh, famous last
words, it's not like it's ever going to be used elsewhere other than our
class B).
Here's some useful network calculations someone might find useful (after
suitably debugging and commenting), that should never be deployed in
production because I do silly things like work out what $0 is (so can be
symlinked to netcalc, bcasecacl, cidr2mask, mask2cidr) without any sanity
checking:
http://rather.puzzling.org/~tconnors/code/cidr2mask
Further, your sed appears to be expecting a space
after "$cidr", but
isn't putting one back after "$netmask". That could give you grief.
Woops, that what happens when you want to fly out of the door before 7 and
it's already 7:04. Tested fine! Good thing I ran with --noop rather than
deploying across the cluster :) It's only me on call. Guess I better
check my phone to see whether anyone called while I was on the bike :)
Finally, were I writing this myself (in the absense of
cidr2mask), I'd
probably do something like the following:
| filter_cidr2mask(){
| cidr=(
| 0.0.0.0
| 128.0.0.0
| 192.0.0.0
| 224.0.0.0
| 240.0.0.0
| 248.0.0.0
| 252.0.0.0
| 254.0.0.0
| 255.0.0.0
| 255.128.0.0
| 255.192.0.0
| 255.224.0.0
| 255.240.0.0
| 255.248.0.0
| 255.252.0.0
| 255.254.0.0
| 255.255.0.0
| 255.255.128.0
| 255.255.192.0
| 255.255.224.0
| 255.255.240.0
| 255.255.248.0
| 255.255.252.0
| 255.255.254.0
| 255.255.255.0
| 255.255.255.128
| 255.255.255.192
| 255.255.255.224
| 255.255.255.240
| 255.255.255.248
| 255.255.255.252
| 255.255.255.254
| 255.255.255.255
| )
Urk. Big array not generated by a simple loop.
| sedExp=
| for ((i=0; i<=32; i++)); do
| sedExp+="s!/\<$i\>!/${cidr[$i]}!g; "
| done
|
| sed "$sedExp"
| }
1. <greybot> seq(1) is a highly nonstandard program used to count to 10
in silly Linux howtos. Use one of these: for ((i = 1; i <=
10; i++)); do ... (bash 2.04+/zsh/ksh93), i=; while ((i++
<= 10)); do ... (bash/mksh/ksh88), i=; while [ $(( ( i +=
1 ) <= 10 )) -ne 0 ]; do ... (POSIX). Don't do this: for
x in $(...); do ... Don't do this: for i in {1..10}; do
...
Heh.
--
Tim Connors
10:40 p.m.
On 2013-06-18 22:08, Tim Connors wrote:
[...]
You're right, {0..32} isn't POSIX; I did further research further down
the email, most notably the stuff from Greybot (which, for reference,
lurks in Freenode/#bash).
Both POSIX (at least for newer POSIX versions). For reference:
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#ta…
(Also worth noting though that, e.g. Solaris sh doesn't adhere to
current POSIX, and implements `` but not $().)
[...]
instances,
I'd use {0..32} instead of `seq 0 32`.
Never heard of that before. Definitely not POSIX (gut feeling here - no
POSIX reference manual handy, but it doesn't work in dash). Never seen
seq not work (assumed it was posix - I even saw it work on HP-UX of all
things. Heck, it probably even works on SCO).
> I also advice using
Oops. *advise
$(cidr2mask
"$cidr") rather than `cidr2mask "$cidr"`; The $() notation
is newer and more predictable, especially with regard to quoting.
Yeah, trying to get out of the habit (` is still prettier for small
snippets), however I thought $(prog) is not POSIX (I'm straying well away
from posix in this program anyway), whereas ` is. (how do you google for
"`" and "$(" ?) Here's some useful network calculations someone
might find useful (after
suitably debugging and commenting), that should never be deployed in
production because I do silly things like work out what $0 is (so can be
symlinked to netcalc, bcasecacl, cidr2mask, mask2cidr) without any sanity
checking:
http://rather.puzzling.org/~tconnors/code/cidr2mask
Pfft, that's easily fixed:
case "${0##*/}" in
mask2cidr|cidr2mask|netcalc|bcastcalc) "${0##*/}";;
*) echo 'ERROR!' >&2; exit 1;;
esac
... And that's all POSIX, not that it matters given you're invoking as
/bin/bash.
[...]
Urk. Big array not generated by a simple loop.
I agree, but I couldn't come up with a more elegant solution in the time
I allocated myself. Will take a look at your script for ideas.
--
Regards,
Matthew Cengia
19 Jun
19 Jun
11:05 a.m.
Tim Connors writes:
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m tcp
-j ACCEPT
One gotcha, which applies at -restore time, but not at -save time:
Like IPv6, in IPv4 you can omit .0 segments:
1.4 --> 1.0.0.4
1.2.4 --> 1.2.0.4 (I think - might be 1.0.2.4)
iptables-restore understands this.
However, if there is a CIDR it expands differently:
1.4/24 --> 1.4.0.0/24
1.2.4/24 --> 1.2.4.0/24
13 Dec
13 Dec
4:17 p.m.
On Wed, 19 Jun 2013, Trent W. Buck wrote:
Tim Connors writes:
I missed that went it was sent originally.
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m
tcp -j ACCEPT
One gotcha, which applies at -restore time, but not at -save time:
Like IPv6, in IPv4 you can omit .0 segments:
1.4 --> 1.0.0.4
1.2.4 --> 1.2.0.4 (I think - might be 1.0.2.4) iptables-restore understands this.
However, if there is a CIDR it expands differently:
1.4/24 --> 1.4.0.0/24
1.2.4/24 --> 1.2.4.0/24
Holy crap that's ridiculous. Anyone who uses those stupid formats gets
what they deserve.
--
Tim Connors
5:38 p.m.
Tim Connors wrote:
On Wed, 19 Jun 2013, Trent W. Buck wrote:
No worries -- nobody can afford a whole class B anymore anyway ;-P
BTW 1.4 --> 1.0.0.4 works in ping and suchlike, too.
Not nmap, tho.
Tim Connors writes:
I missed that went it was sent originally.
-A RH-Firewall-1-INPUT -s 12.3.4.5/16 -p tcp -m
tcp -j ACCEPT
One gotcha, which applies at -restore time, but not at -save time:
Like IPv6, in IPv4 you can omit .0 segments:
1.4 --> 1.0.0.4
1.2.4 --> 1.2.0.4 (I think - might be 1.0.2.4) iptables-restore understands this.
However, if there is a CIDR it expands differently:
1.4/24 --> 1.4.0.0/24
1.2.4/24 --> 1.2.4.0/24
Holy crap that's ridiculous. Anyone who uses those stupid formats gets
what they deserve.
3393
days inactive
3571
days old
8 comments
4 participants
participants (4)
-
Matthew Cengia -
Tim Connors -
Trent W. Buck -
trentbuck@gmail.com