iptables-save - suggest patch to add functionality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Package: iptables

Dear Maintainers,
 
Please find attached a suggest patch to add functionality in iptables-save.

-------------------------------------------------------------------------------

1) Adding -z or --zero option: Reset to zero counters of the chains.

Example without:

iptables-save
# Generated by iptables-save v1.6.1 on Tue Jan  9 21:42:51 2018
*nat
:PREROUTING ACCEPT [923:217673]
:INPUT ACCEPT [309:97481]
(...)

Example with:

iptables-save -z
# Generated by iptables-save v1.6.1 on Tue Jan  9 21:42:26 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
(...)

-------------------------------------------------------------------------------

2) Adding -h or --help option: print help/usage (inspired by manpage)

Content:

iptables-save -h
iptables-save and ip6tables-save are provides from iptables package — version 1.6.1

iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.

Usage: iptables-save  [-h] [-M modprobe] [-c] [-z] [-t table]
       ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table]

Options:
Either long or short options are allowed.

  -h, --help
      Print this help usage.

  -M, --modprobe modprobe_program
      Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/mod‐probe to determine the executable's path.

  -c, --counters
      Include the current values of all packet and byte counters in the output.

  -z, --zero
      Reset to zero counters of the chains.

  -t, --table tablename
      Restrict output to only one table. If not specified, output includes all available tables.

  -f, --file filename
      Specify a filename to log the output to. If not specified, iptables-save will log to STDOUT.

 -------------------------------------------------------------------------------

3) Layout layout: uppercase, dot...


Best regards,

Alban Vidal

----------------------
-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index 8e3a6afd..466ce0ce 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -3,6 +3,8 @@
  * Original code: iptables-save
  * Authors: Paul 'Rusty' Russel <rusty@xxxxxxxxxxxxxxxx> and
  *          Harald Welte <laforge@xxxxxxxxxxxx>
+ * Contributor: Alban Vidal <alban.vidal@xxxxxxxxxx>
+ *
  * This code is distributed under the terms of GNU GPL v2
  */
 #include <getopt.h>
@@ -18,18 +20,12 @@
 #include "libiptc/libip6tc.h"
 #include "ip6tables.h"
 #include "ip6tables-multi.h"
+#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */
 
-static int show_counters;
-
-static const struct option options[] = {
-	{.name = "counters", .has_arg = false, .val = 'c'},
-	{.name = "dump",     .has_arg = false, .val = 'd'},
-	{.name = "table",    .has_arg = true,  .val = 't'},
-	{.name = "modprobe", .has_arg = true,  .val = 'M'},
-	{.name = "file",     .has_arg = true,  .val = 'f'},
-	{NULL},
-};
+static int show_counters = 0;
 
+/* if = 1 (opt -z): Reset to zero counters of the chains */
+static int rst_chain_counters = 0;
 
 /* Debugging prototype. */
 static int for_each_table(int (*func)(const char *tablename))
@@ -96,7 +92,10 @@ static int do_output(const char *tablename)
 			struct xt_counters count;
 			printf("%s ",
 			       ip6tc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			if (rst_chain_counters > 0)
+				printf("[0:0]\n"); /* Reset to zero counters of the chains */
+			else
+				printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
 		} else {
 			printf("- [0:0]\n");
 		}
@@ -146,7 +145,7 @@ int ip6tables_save_main(int argc, char *argv[])
 	init_extensions6();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -154,14 +153,20 @@ int ip6tables_save_main(int argc, char *argv[])
 		case 'c':
 			show_counters = 1;
 			break;
-
 		case 't':
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'h':
+			/* Print Help and quit */
+			print_help_usage();
+			break;
 		case 'M':
 			xtables_modprobe_program = optarg;
 			break;
+		case 'z':
+			rst_chain_counters = 1;
+			break;
 		case 'f':
 			file = fopen(optarg, "w");
 			if (file == NULL) {
diff --git a/iptables/ipXtables-save-common.c b/iptables/ipXtables-save-common.c
index e69de29b..3287fc51 100644
--- a/iptables/ipXtables-save-common.c
+++ b/iptables/ipXtables-save-common.c
@@ -0,0 +1,63 @@
+/* Common code for iptables-save.c and ip6tables-save.c */
+/* (C) 2018 by Alban Vidal <alban.vidal@xxxxxxxxxx>
+ *
+ * This code is distributed under the terms of GNU GPL v2
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>  /* struct option */
+#include <stdbool.h> /* true/false */
+
+/* Summary help usage */
+static void print_help_usage()
+{
+	printf(
+	    "iptables-save and ip6tables-save are provides from iptables package â?? version %s\n"
+	    "\n"
+	    "iptables-save and ip6tables-save are used to dump the contents of IP or "
+	    "IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection "
+	    "provided by your shell to write to a file.\n"
+	    "\n"
+	    "Usage: iptables-save  [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n"
+	    "       ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] [-f filename]\n"
+	    "\n"
+	    "Options:\n"
+	    "Either long or short options are allowed.\n"
+	    "\n"
+	    "  -h, --help\n"
+	    "      Print this help usage.\n"
+	    "\n"
+	    "  -M, --modprobe modprobe_program\n"
+	    "      Specify the path to the modprobe program. By default, iptables-save "
+	    "will inspect /proc/sys/kernel/modâ??probe to determine the executable's path.\n"
+	    "\n"
+	    "  -c, --counters\n"
+	    "      Include the current values of all packet and byte counters in the output.\n"
+	    "\n"
+	    "  -z, --zero\n"
+	    "      Reset to zero counters of the chains.\n"
+	    "\n"
+	    "  -t, --table tablename\n"
+	    "      Restrict output to only one table. If not specified, output includes "
+	    "all available tables.\n"
+	    "\n"
+	    "  -f, --file filename\n"
+	    "      Specify a filename to log the output to. If not specified, iptables-save "
+	    "will log to STDOUT.\n"
+	    , IPTABLES_VERSION
+	);
+
+	exit(0);
+}
+
+static const struct option options[] = {
+	{.name = "help",     .has_arg = false, .val = 'h'},
+	{.name = "counters", .has_arg = false, .val = 'c'},
+	{.name = "dump",     .has_arg = false, .val = 'd'},
+	{.name = "zero",     .has_arg = false, .val = 'z'},
+	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
+	{.name = "file",     .has_arg = true,  .val = 'f'},
+	{NULL},
+};
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 51e11f3e..0ee0f513 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules
 .P
 ip6tables-save \(em dump iptables rules
 .SH SYNOPSIS
-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+\fBiptables\-save\fP  [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .P
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+\fBip6tables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-save
@@ -36,6 +36,9 @@ and
 are used to dump the contents of IP or IPv6 Table in easily parseable format
 either to STDOUT or to a specified file.
 .TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help usage and quit.
+.TP
 \fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
 Specify the path to the modprobe program. By default, iptables-save will
 inspect /proc/sys/kernel/modprobe to determine the executable's path.
@@ -45,19 +48,24 @@ Specify a filename to log the output to. If not specified, iptables-save
 will log to STDOUT.
 .TP
 \fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
+Include the current values of all packet and byte counters in the output.
+.TP
+\fB\-z\fR, \fB\-\-zero\fR
+Reset to zero counters of the chains.
 .TP
 \fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
+Restrict output to only one table. If not specified, output includes all
 available tables.
 .SH BUGS
-None known as of iptables-1.2.1 release
+None known as of iptables-1.2.1 release.
 .SH AUTHORS
-Harald Welte <laforge@xxxxxxxxxxxx>
+Harald Welte <laforge@xxxxxxxxxxxx>,
+.br
+Rusty Russell <rusty@xxxxxxxxxxxxxxx>,
 .br
-Rusty Russell <rusty@xxxxxxxxxxxxxxx>
+Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save,
 .br
-Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save.
+Alban Vidal <alban.vidal@xxxxxxxxxx> contributed ip[6]tables-save.
 .SH SEE ALSO
 \fBiptables\-restore\fP(8), \fBiptables\fP(8)
 .PP
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index d59bd34a..d6abdb93 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -1,6 +1,8 @@
 /* Code to save the iptables state, in human readable-form. */
 /* (C) 1999 by Paul 'Rusty' Russell <rusty@xxxxxxxxxxxxxxx> and
  * (C) 2000-2002 by Harald Welte <laforge@xxxxxxxxxxxx>
+ * Contributor:
+ * (C) 2018 by Alban Vidal <alban.vidal@xxxxxxxxxx>
  *
  * This code is distributed under the terms of GNU GPL v2
  *
@@ -17,17 +19,12 @@
 #include "libiptc/libiptc.h"
 #include "iptables.h"
 #include "iptables-multi.h"
+#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */
 
-static int show_counters;
+static int show_counters = 0;
 
-static const struct option options[] = {
-	{.name = "counters", .has_arg = false, .val = 'c'},
-	{.name = "dump",     .has_arg = false, .val = 'd'},
-	{.name = "table",    .has_arg = true,  .val = 't'},
-	{.name = "modprobe", .has_arg = true,  .val = 'M'},
-	{.name = "file",     .has_arg = true,  .val = 'f'},
-	{NULL},
-};
+/* if = 1 (opt -z): Reset to zero counters of the chains */
+static int rst_chain_counters = 0;
 
 /* Debugging prototype. */
 static int for_each_table(int (*func)(const char *tablename))
@@ -94,7 +91,10 @@ static int do_output(const char *tablename)
 			struct xt_counters count;
 			printf("%s ",
 			       iptc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			if (rst_chain_counters > 0)
+				printf("[0:0]\n"); /* Reset to zero counters of the chains */
+			else
+				printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
 		} else {
 			printf("- [0:0]\n");
 		}
@@ -145,7 +145,7 @@ iptables_save_main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bhcdzt:M:f:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -153,14 +153,20 @@ iptables_save_main(int argc, char *argv[])
 		case 'c':
 			show_counters = 1;
 			break;
-
 		case 't':
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'h':
+			/* Print Help and quit */
+			print_help_usage();
+			break;
 		case 'M':
 			xtables_modprobe_program = optarg;
 			break;
+		case 'z':
+			rst_chain_counters = 1;
+			break;
 		case 'f':
 			file = fopen(optarg, "w");
 			if (file == NULL) {

Attachment: iptables-save_alban.tar.gz
Description: application/gzip


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux