diff mbox

iptables-save: add --chain argument, limits output to a chain

Message ID 1361878382-11959-1-git-send-email-jonh.wendell@gmail.com
State Not Applicable
Headers show

Commit Message

Jonh Wendell Feb. 26, 2013, 11:33 a.m. UTC 
From: Jonh Wendell <jonh.wendell@oiwifi.com.br>

Similar to the --table argument, if a --chain (or -C) argument
is passed, we limit the output to rules of that chain.

Signed-off-by: Jonh Wendell <jonh.wendell@oiwifi.com.br>
---
 iptables/iptables-save.8 |    8 ++++++--
 iptables/iptables-save.c |   13 ++++++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

Comments

Jan Engelhardt Feb. 26, 2013, 2:48 p.m. UTC | #1 
On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:

>From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
>
>Similar to the --table argument, if a --chain (or -C) argument
>is passed, we limit the output to rules of that chain.

But we have `iptables -S chain` for that, don't we.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jonh Wendell Feb. 26, 2013, 3:02 p.m. UTC | #2 
2013/2/26 Jan Engelhardt <jengelh@inai.de>
>
> On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>
> >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
> >
> >Similar to the --table argument, if a --chain (or -C) argument
> >is passed, we limit the output to rules of that chain.
>
> But we have `iptables -S chain` for that, don't we.


I'm afraid its output is not suitable for iptables-restore.

--
Jonh Wendell
http://www.bani.com.br
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jan Engelhardt Feb. 26, 2013, 3:40 p.m. UTC | #3 
On Tuesday 2013-02-26 15:57, Jonh Wendell wrote:
>2013/2/26 Jan Engelhardt <jengelh@inai.de>
>      On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>
>      >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
>      >
>      >Similar to the --table argument, if a --chain (or -C) argument
>      >is passed, we limit the output to rules of that chain.
>
>But we have `iptables -S chain` for that, don't we.
>
>
>I'm afraid its output is not suitable for iptables-restore.

I thought you just wanted to have a single chain shown, for the
purposes of debugging (because nobody can frankly read -L's output).
If however you want to feed it to replace, can you elaborate on your
use case? I would be interested in that.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jonh Wendell Feb. 26, 2013, 4:18 p.m. UTC | #4 
2013/2/26 Jan Engelhardt <jengelh@inai.de>:
>
> On Tuesday 2013-02-26 15:57, Jonh Wendell wrote:
>>2013/2/26 Jan Engelhardt <jengelh@inai.de>
>>      On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>>
>>      >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
>>      >
>>      >Similar to the --table argument, if a --chain (or -C) argument
>>      >is passed, we limit the output to rules of that chain.
>>
>>But we have `iptables -S chain` for that, don't we.
>>
>>
>>I'm afraid its output is not suitable for iptables-restore.
>
> I thought you just wanted to have a single chain shown, for the
> purposes of debugging (because nobody can frankly read -L's output).
> If however you want to feed it to replace, can you elaborate on your
> use case? I would be interested in that.

Hi!

My particular use case is: I want to flush all iptables rules except
those ones from a specific chain.
So, I save them with iptables-save -C <chain-name>, flush, and then
run iptables-restore on them.

I could do it without that -C flag, but I'd have to parse its output
to get only the chain I'm interested in.

In other words, my use case could be reached with something like
'iptables -F ! <chain-name>'.

All in all, I think it's a good addition to iptables-save, it can be
useful in other scenarios.

Thanks,
Jan Engelhardt Feb. 26, 2013, 10:18 p.m. UTC | #5 
On Tuesday 2013-02-26 17:18, Jonh Wendell wrote:
>
>My particular use case is: I want to flush all iptables rules except
>those ones from a specific chain.
>So, I save them with iptables-save -C <chain-name>, flush, and then
>run iptables-restore on them.

But if chain-name is not a base chain, then you wipe out the
main rules for all practical purposes.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jonh Wendell Feb. 26, 2013, 11:30 p.m. UTC | #6 
2013/2/26 Jan Engelhardt <jengelh@inai.de>:
>
> On Tuesday 2013-02-26 17:18, Jonh Wendell wrote:
>>
>>My particular use case is: I want to flush all iptables rules except
>>those ones from a specific chain.
>>So, I save them with iptables-save -C <chain-name>, flush, and then
>>run iptables-restore on them.
>
> But if chain-name is not a base chain, then you wipe out the
> main rules for all practical purposes.

actually, after flush all rules, I load a preset set of rules and only
then I run iptables-restore.
diff mbox

Patch

diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8
index c2e0a94..2f510d0 100644
--- a/iptables/iptables-save.8
+++ b/iptables/iptables-save.8
@@ -1,4 +1,4 @@ 
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-SAVE 8 "Feb 25, 2013" "" ""
 .\"
 .\" Man page written by Harald Welte <laforge@gnumonks.org>
 .\" It is based on the iptables man page.
@@ -22,7 +22,7 @@ 
 iptables-save \(em dump iptables rules to stdout
 .SH SYNOPSIS
 \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+[\fB\-t\fP \fItable\fP] [\fB\-C\fP \fIchain\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-save
@@ -39,6 +39,10 @@  include the current values of all packet and byte counters in the output
 \fB\-t\fR, \fB\-\-table\fR \fItablename\fP
 restrict output to only one table. If not specified, output includes all
 available tables.
+.TP
+\fB\-C\fR, \fB\-\-chain\fR \fIchainname\fP
+restrict output to only one chain. If not specified, output includes all
+available chains.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHOR
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index e599fce..aae77b6 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -22,12 +22,14 @@ 
 #endif
 
 static int show_counters = 0;
+static char *chainname = NULL;
 
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+	{.name = "chain",    .has_arg = true,  .val = 'C'},
 	{NULL},
 };
 
@@ -85,6 +87,9 @@  static int do_output(const char *tablename)
 	     chain;
 	     chain = iptc_next_chain(h)) {
 
+		if (chainname && *chainname && strcmp(chain, chainname))
+			continue;
+
 		printf(":%s ", chain);
 		if (iptc_builtin(chain, h)) {
 			struct xt_counters count;
@@ -101,6 +106,9 @@  static int do_output(const char *tablename)
 	     chain = iptc_next_chain(h)) {
 		const struct ipt_entry *e;
 
+		if (chainname && *chainname && strcmp(chain, chainname))
+			continue;
+
 		/* Dump out rules */
 		e = iptc_first_rule(chain, h);
 		while(e) {
@@ -140,7 +148,7 @@  iptables_save_main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcdt:C:", options, NULL)) != -1) {
 		switch (c) {
 		case 'c':
 			show_counters = 1;
@@ -153,6 +161,9 @@  iptables_save_main(int argc, char *argv[])
 		case 'M':
 			xtables_modprobe_program = optarg;
 			break;
+		case 'C':
+			chainname = optarg;
+			break;
 		case 'd':
 			do_output(tablename);
 			exit(0);