Package: iptables Dear Maintainers, Please find attached a suggest patch to add functionality in iptables-save. ------------------------------------------------------------------------------- 1) Adding -z or --zero option: Reset to zero counters of the chains. Example without: iptables-save # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:51 2018 *nat :PREROUTING ACCEPT [923:217673] :INPUT ACCEPT [309:97481] (...) Example with: iptables-save -z # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:26 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] (...) ------------------------------------------------------------------------------- 2) Adding -h or --help option: print help/usage (inspired by manpage) Content: iptables-save -h iptables-save and ip6tables-save are provides from iptables package — version 1.6.1 iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table] ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] Options: Either long or short options are allowed. -h, --help Print this help usage. -M, --modprobe modprobe_program Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/mod‐probe to determine the executable's path. -c, --counters Include the current values of all packet and byte counters in the output. -z, --zero Reset to zero counters of the chains. -t, --table tablename Restrict output to only one table. If not specified, output includes all available tables. -f, --file filename Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT. ------------------------------------------------------------------------------- 3) Layout layout: uppercase, dot... Best regards, Alban Vidal ---------------------- -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c index 8e3a6afd..466ce0ce 100644 --- a/iptables/ip6tables-save.c +++ b/iptables/ip6tables-save.c @@ -3,6 +3,8 @@ * Original code: iptables-save * Authors: Paul 'Rusty' Russel <rusty@xxxxxxxxxxxxxxxx> and * Harald Welte <laforge@xxxxxxxxxxxx> + * Contributor: Alban Vidal <alban.vidal@xxxxxxxxxx> + * * This code is distributed under the terms of GNU GPL v2 */ #include <getopt.h> @@ -18,18 +20,12 @@ #include "libiptc/libip6tc.h" #include "ip6tables.h" #include "ip6tables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ -static int show_counters; - -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "file", .has_arg = true, .val = 'f'}, - {NULL}, -}; +static int show_counters = 0; +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -96,7 +92,10 @@ static int do_output(const char *tablename) struct xt_counters count; printf("%s ", ip6tc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -146,7 +145,7 @@ int ip6tables_save_main(int argc, char *argv[]) init_extensions6(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -154,14 +153,20 @@ int ip6tables_save_main(int argc, char *argv[]) case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'f': file = fopen(optarg, "w"); if (file == NULL) { diff --git a/iptables/ipXtables-save-common.c b/iptables/ipXtables-save-common.c index e69de29b..3287fc51 100644 --- a/iptables/ipXtables-save-common.c +++ b/iptables/ipXtables-save-common.c @@ -0,0 +1,63 @@ +/* Common code for iptables-save.c and ip6tables-save.c */ +/* (C) 2018 by Alban Vidal <alban.vidal@xxxxxxxxxx> + * + * This code is distributed under the terms of GNU GPL v2 + */ + +#include <stdio.h> +#include <stdlib.h> +#include <getopt.h> /* struct option */ +#include <stdbool.h> /* true/false */ + +/* Summary help usage */ +static void print_help_usage() +{ + printf( + "iptables-save and ip6tables-save are provides from iptables package â?? version %s\n" + "\n" + "iptables-save and ip6tables-save are used to dump the contents of IP or " + "IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection " + "provided by your shell to write to a file.\n" + "\n" + "Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n" + " ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n" + "\n" + "Options:\n" + "Either long or short options are allowed.\n" + "\n" + " -h, --help\n" + " Print this help usage.\n" + "\n" + " -M, --modprobe modprobe_program\n" + " Specify the path to the modprobe program. By default, iptables-save " + "will inspect /proc/sys/kernel/modâ??probe to determine the executable's path.\n" + "\n" + " -c, --counters\n" + " Include the current values of all packet and byte counters in the output.\n" + "\n" + " -z, --zero\n" + " Reset to zero counters of the chains.\n" + "\n" + " -t, --table tablename\n" + " Restrict output to only one table. If not specified, output includes " + "all available tables.\n" + "\n" + " -f, --file filename\n" + " Specify a filename to log the output to. If not specified, iptables-save " + "will log to STDOUT.\n" + , IPTABLES_VERSION + ); + + exit(0); +} + +static const struct option options[] = { + {.name = "help", .has_arg = false, .val = 'h'}, + {.name = "counters", .has_arg = false, .val = 'c'}, + {.name = "dump", .has_arg = false, .val = 'd'}, + {.name = "zero", .has_arg = false, .val = 'z'}, + {.name = "table", .has_arg = true, .val = 't'}, + {.name = "modprobe", .has_arg = true, .val = 'M'}, + {.name = "file", .has_arg = true, .val = 'f'}, + {NULL}, +}; diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in index 51e11f3e..0ee0f513 100644 --- a/iptables/iptables-save.8.in +++ b/iptables/iptables-save.8.in @@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules .P ip6tables-save \(em dump iptables rules .SH SYNOPSIS -\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] +\fBiptables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] .P -\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] +\fBip6tables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP] .SH DESCRIPTION .PP .B iptables-save @@ -36,6 +36,9 @@ and are used to dump the contents of IP or IPv6 Table in easily parseable format either to STDOUT or to a specified file. .TP +\fB\-h\fR, \fB\-\-help\fR +Print help usage and quit. +.TP \fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/modprobe to determine the executable's path. @@ -45,19 +48,24 @@ Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT. .TP \fB\-c\fR, \fB\-\-counters\fR -include the current values of all packet and byte counters in the output +Include the current values of all packet and byte counters in the output. +.TP +\fB\-z\fR, \fB\-\-zero\fR +Reset to zero counters of the chains. .TP \fB\-t\fR, \fB\-\-table\fR \fItablename\fP -restrict output to only one table. If not specified, output includes all +Restrict output to only one table. If not specified, output includes all available tables. .SH BUGS -None known as of iptables-1.2.1 release +None known as of iptables-1.2.1 release. .SH AUTHORS -Harald Welte <laforge@xxxxxxxxxxxx> +Harald Welte <laforge@xxxxxxxxxxxx>, +.br +Rusty Russell <rusty@xxxxxxxxxxxxxxx>, .br -Rusty Russell <rusty@xxxxxxxxxxxxxxx> +Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save, .br -Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save. +Alban Vidal <alban.vidal@xxxxxxxxxx> contributed ip[6]tables-save. .SH SEE ALSO \fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c index d59bd34a..d6abdb93 100644 --- a/iptables/iptables-save.c +++ b/iptables/iptables-save.c @@ -1,6 +1,8 @@ /* Code to save the iptables state, in human readable-form. */ /* (C) 1999 by Paul 'Rusty' Russell <rusty@xxxxxxxxxxxxxxx> and * (C) 2000-2002 by Harald Welte <laforge@xxxxxxxxxxxx> + * Contributor: + * (C) 2018 by Alban Vidal <alban.vidal@xxxxxxxxxx> * * This code is distributed under the terms of GNU GPL v2 * @@ -17,17 +19,12 @@ #include "libiptc/libiptc.h" #include "iptables.h" #include "iptables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ -static int show_counters; +static int show_counters = 0; -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {.name = "file", .has_arg = true, .val = 'f'}, - {NULL}, -}; +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -94,7 +91,10 @@ static int do_output(const char *tablename) struct xt_counters count; printf("%s ", iptc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -145,7 +145,7 @@ iptables_save_main(int argc, char *argv[]) init_extensions4(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -153,14 +153,20 @@ iptables_save_main(int argc, char *argv[]) case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'f': file = fopen(optarg, "w"); if (file == NULL) {
Attachment:
iptables-save_alban.tar.gz
Description: application/gzip