From patchwork Tue Jan 23 10:44:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Alban Vidal X-Patchwork-Id: 864740 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (768-bit key; unprotected) header.d=online.net header.i=@online.net header.b="TU2Fw0UE"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=online.net header.i=@online.net header.b="5sfywovB"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zQnGL6R1jz9t3p for ; Tue, 23 Jan 2018 23:11:38 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751202AbeAWMLX (ORCPT ); Tue, 23 Jan 2018 07:11:23 -0500 Received: from bounce-2.online.net ([62.210.16.44]:38274 "EHLO bounce-2.online.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751056AbeAWMLV (ORCPT ); Tue, 23 Jan 2018 07:11:21 -0500 X-Greylist: delayed 5207 seconds by postgrey-1.27 at vger.kernel.org; Tue, 23 Jan 2018 07:11:21 EST DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=online.net; s=folays; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=wqj00IUS96rb3z8pqf2FmJRFKsWgIr6X6BQw+h3TdPA=; b=TU2Fw0UEQy3CdaizOggRjQnzyw/epKXWkW/klU/HWsPitQLJo7iteLHkNB+uw5K4Ea84h6pC7x4D5/G440WzBPmNRSll/QM2ilS4IlhiPwhjpVmeGEB5LzEXQq+uIFSJ; Received: from [62.210.16.40] (helo=smtpauth-dc2-1.online.net) by bounce-dc2-2.online.net with esmtpa (Exim 4.82) (envelope-from ) id 1edw4A-0002Tb-Qv for netfilter-devel@vger.kernel.org; Tue, 23 Jan 2018 11:44:34 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=online.net; s=folays2; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=wqj00IUS96rb3z8pqf2FmJRFKsWgIr6X6BQw+h3TdPA=; b=5sfywovBVQA1YZp1OvRK4fhyr5VIyI4YYNUdnCunY1e7KJFQDmo3Uj3gtJksw30p900Mo3lF0xBBM1l4F3Vr/Tmswm71WVnWmvXq4NUc5cTgbYO686YXd5NsSz+Gfoqw68k37qrBQz3VphTJEV9j5YJMWiiUWPKXpkNF79cl1n8=; Received: from [90.3.250.241] (helo=[192.168.1.155]) by smtpauth-dc2-1.online.net with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1edw45-0000qA-Fc for netfilter-devel@vger.kernel.org; Tue, 23 Jan 2018 11:44:29 +0100 To: netfilter-devel@vger.kernel.org From: Alban Vidal Subject: iptables-save - suggest patch to add functionality Message-ID: Date: Tue, 23 Jan 2018 11:44:22 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Language: fr-FR X-auth-smtp-user: alban.vidal@zordhak.fr X-online-auth-user: FLEX_TzAwdVdPQThLRVNPc3lHdw==tgjnMF9h+8Om+Wri5fjX4ag0K9SRng== X-online-auth-smtp: FLEX_NndZMElrWXFRc0F5R3k0Qw==grcypwKDF5eflONT6mKS/bioQU6ceCLyY/XWe57yLg== X-online-bounce-smtp: FLEX_UU0wSThTWU1PbzBxWTRTRw==PK6wJROSvC+Ul1kjGeacCFiy27ZZXtO9UwSH+i87uA== Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Package: iptables Dear Maintainers, Please find attached a suggest patch to add functionality in iptables-save. ------------------------------------------------------------------------------- 1) Adding -z or --zero option: Reset to zero counters of the chains. Example without: iptables-save # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:51 2018 *nat :PREROUTING ACCEPT [923:217673] :INPUT ACCEPT [309:97481] (...) Example with: iptables-save -z # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:26 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] (...) ------------------------------------------------------------------------------- 2) Adding -h or --help option: print help/usage (inspired by manpage) Content: iptables-save -h iptables-save and ip6tables-save are provides from iptables package — version 1.6.1 iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table] ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] Options: Either long or short options are allowed. -h, --help Print this help usage. -M, --modprobe modprobe_program Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/mod‐probe to determine the executable's path. -c, --counters Include the current values of all packet and byte counters in the output. -z, --zero Reset to zero counters of the chains. -t, --table tablename Restrict output to only one table. If not specified, output includes all available tables. -f, --file filename Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT.  ------------------------------------------------------------------------------- 3) Layout layout: uppercase, dot... Best regards, Alban Vidal ---------------------- -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Signed-off-by: Alban Vidal Signed-off-by: Alban Vidal diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c index 8e3a6afd..466ce0ce 100644 --- a/iptables/ip6tables-save.c +++ b/iptables/ip6tables-save.c @@ -3,6 +3,8 @@ * Original code: iptables-save * Authors: Paul 'Rusty' Russel and * Harald Welte + * Contributor: Alban Vidal + * * This code is distributed under the terms of GNU GPL v2 */ #include @@ -18,18 +20,12 @@ #include "libiptc/libip6tc.h" #include "ip6tables.h" #include "ip6tables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ -static int show_counters; - -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "file", .has_arg = true, .val = 'f'}, - {NULL}, -}; +static int show_counters = 0; +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -96,7 +92,10 @@ static int do_output(const char *tablename) struct xt_counters count; printf("%s ", ip6tc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -146,7 +145,7 @@ int ip6tables_save_main(int argc, char *argv[]) init_extensions6(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -154,14 +153,20 @@ int ip6tables_save_main(int argc, char *argv[]) case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'f': file = fopen(optarg, "w"); if (file == NULL) { diff --git a/iptables/ipXtables-save-common.c b/iptables/ipXtables-save-common.c index e69de29b..3287fc51 100644 --- a/iptables/ipXtables-save-common.c +++ b/iptables/ipXtables-save-common.c @@ -0,0 +1,63 @@ +/* Common code for iptables-save.c and ip6tables-save.c */ +/* (C) 2018 by Alban Vidal + * + * This code is distributed under the terms of GNU GPL v2 + */ + +#include +#include +#include /* struct option */ +#include /* true/false */ + +/* Summary help usage */ +static void print_help_usage() +{ + printf( + "iptables-save and ip6tables-save are provides from iptables package — version %s\n" + "\n" + "iptables-save and ip6tables-save are used to dump the contents of IP or " + "IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection " + "provided by your shell to write to a file.\n" + "\n" + "Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n" + " ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n" + "\n" + "Options:\n" + "Either long or short options are allowed.\n" + "\n" + " -h, --help\n" + " Print this help usage.\n" + "\n" + " -M, --modprobe modprobe_program\n" + " Specify the path to the modprobe program. By default, iptables-save " + "will inspect /proc/sys/kernel/mod‐probe to determine the executable's path.\n" + "\n" + " -c, --counters\n" + " Include the current values of all packet and byte counters in the output.\n" + "\n" + " -z, --zero\n" + " Reset to zero counters of the chains.\n" + "\n" + " -t, --table tablename\n" + " Restrict output to only one table. If not specified, output includes " + "all available tables.\n" + "\n" + " -f, --file filename\n" + " Specify a filename to log the output to. If not specified, iptables-save " + "will log to STDOUT.\n" + , IPTABLES_VERSION + ); + + exit(0); +} + +static const struct option options[] = { + {.name = "help", .has_arg = false, .val = 'h'}, + {.name = "counters", .has_arg = false, .val = 'c'}, + {.name = "dump", .has_arg = false, .val = 'd'}, + {.name = "zero", .has_arg = false, .val = 'z'}, + {.name = "table", .has_arg = true, .val = 't'}, + {.name = "modprobe", .has_arg = true, .val = 'M'}, + {.name = "file", .has_arg = true, .val = 'f'}, + {NULL}, +}; diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in index 51e11f3e..0ee0f513 100644 --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in @@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules .P ip6tables-save \(em dump iptables rules .SH SYNOPSIS -\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] +\fBiptables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] .P -\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] +\fBip6tables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] .SH DESCRIPTION .PP .B iptables-save @@ -36,6 +36,9 @@ and are used to dump the contents of IP or IPv6 Table in easily parseable format either to STDOUT or to a specified file. .TP +\fB\-h\fR, \fB\-\-help\fR +Print help usage and quit. +.TP \fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/modprobe to determine the executable's path. @@ -45,19 +48,24 @@ Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT. .TP \fB\-c\fR, \fB\-\-counters\fR -include the current values of all packet and byte counters in the output +Include the current values of all packet and byte counters in the output. +.TP +\fB\-z\fR, \fB\-\-zero\fR +Reset to zero counters of the chains. .TP \fB\-t\fR, \fB\-\-table\fR \fItablename\fP -restrict output to only one table. If not specified, output includes all +Restrict output to only one table. If not specified, output includes all available tables. .SH BUGS -None known as of iptables-1.2.1 release +None known as of iptables-1.2.1 release. .SH AUTHORS -Harald Welte +Harald Welte , +.br +Rusty Russell , .br -Rusty Russell +Andras Kis-Szabo contributed ip6tables-save, .br -Andras Kis-Szabo contributed ip6tables-save. +Alban Vidal contributed ip[6]tables-save. .SH SEE ALSO \fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c index d59bd34a..d6abdb93 100644 --- a/iptables/iptables-save.c +++ b/iptables/iptables-save.c @@ -1,6 +1,8 @@ /* Code to save the iptables state, in human readable-form. */ /* (C) 1999 by Paul 'Rusty' Russell and * (C) 2000-2002 by Harald Welte + * Contributor: + * (C) 2018 by Alban Vidal * * This code is distributed under the terms of GNU GPL v2 * @@ -17,17 +19,12 @@ #include "libiptc/libiptc.h" #include "iptables.h" #include "iptables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ -static int show_counters; +static int show_counters = 0; -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "file", .has_arg = true, .val = 'f'}, - {NULL}, -}; +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -94,7 +91,10 @@ static int do_output(const char *tablename) struct xt_counters count; printf("%s ", iptc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -145,7 +145,7 @@ iptables_save_main(int argc, char *argv[]) init_extensions4(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -153,14 +153,20 @@ iptables_save_main(int argc, char *argv[]) case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'f': file = fopen(optarg, "w"); if (file == NULL) {