EXAMPLE:
iptables
:internet - [0:0] -A internet -m mac --mac-source 48:5D:60:FC:29:B0 -j RETURN
COMMIT
[root@localhost:~ ] $ arp
Address HWtype HWaddress Flags Mask Iface
10.2.0.1 ether 48:5D:60:FC:29:B0 C br0
i would like to delete the iptable rule (-D internet -m mac --mac-source 48:5D:60:FC:29:B0 -j RETURN) if the mac on ARP list is not present.
In what language would you like that script to be? Any? Because with a shell script that's tedious to say the least...
You could otherwise save the result of your arp + grep and iptables -L in 2 different files, then load those two files in an array. Then it becomes pretty easy, you go through one of the array and if it exist / does not exist in the other, then delete.
arp |grep br0 | perl -nle '/her ([^ ]+)/ && print $1' >file1.txt
iptables -t mangle -L -v -n |grep MAC | perl -nle '/MAC ([^ ]+)/ && print $1' >file2.txt
php do-delete.php
And the do-delete.php could be loading the files and run a system() call to delete the entries:
<?php
$f1 = file("file1.txt");
$f2 = file("file2.txt");
$to_delete = array_diff($f2, $f1);
foreach($to_delete as $mac)
{
system('iptables -t mangle -D internet -m mac --mac-source ' . $mac . ' -j RETURN');
}
Something like that... (NOTE TESTED!) Notice how the array_diff() call is easy! Nothing of the sort that I know of in a shell script.
You could also print out the resulting table back in a file.
file_put_contents('file3.txt', join($to_delete, "\n") . "\n");
Then use that to do the delete from the shell...
Also you could use PHP to generate the first two files using popen().
