ipchains-save

When I designed WPM, I needed a way to get the actual status of WPM. I found the following command to be very useful:

[root@localhost wpm]# ipchains-save
:input ACCEPT
:forward ACCEPT
:output ACCEPT
Saving 'input'.
-A input -s 10.0.0.1/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.2/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.3/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.4/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.5/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.6/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.7/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT
-A input -s 10.0.0.8/255.255.255.255 -d 0.0.0.0/0.0.0.0 3128:3128 \
   -p 6 -j REJECT

This seems perfect. ipchains-save gives you the exact commands for configuring the actual status! This is the way it was implemented in its first public version.

I could also have used ipchains with the -L switch. This actually runs much faster than ipchains-save, but is not perfectly suited for the job. The output it gives is in the following format:

[root@localhost wpm]# ipchains -L   
Chain input (policy ACCEPT):
target     prot opt   source  destination   ports
REJECT     tcp  ------  10.0.0.1  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.2  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.3  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.4  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.5  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.6  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.7  anywhere  any ->   3128
REJECT     tcp  ------  10.0.0.8  anywhere  any ->   3128
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Parsing it might not be such a difficult task, and it would perform much faster than the command I chose. However, if reverse lookups are available, it will list the DNS entries instead of the IP addresses. Even if I gave the daemon enough knowledge to resolve the names for each of the addresses (a task that would take a large amount of time), if it existed in an environment where a name maps to more than one host, this would seriously break WPM's functionality.

This decision makes WPM a bit slower. When more than 100 IP addresses are blocked, it can easily take 15 seconds to display the whole list. This performance penalty, however, is certainly worth the information it delivers.