Re: iptables-save - suggest patch to add functionality

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Package: iptables

Dear Maintainers,

Le 11/03/2018 à 21:57, Pablo Neira Ayuso a écrit :
> Hi Alban,
>
> On Tue, Jan 23, 2018 at 11:44:22AM +0100, Alban Vidal wrote:
>> 1) Adding -z or --zero option: Reset to zero counters of the chains.
> I have no objections to this -z feature, but better use -Z uppercase
> instead, so we match it with the existing -Z in iptables that only
> refers to chains too.
>
> A single patch for this new feature is prefered.
> Could you also update xtables-save BTW? This is the compat tool to
> save iptables-compat listings from nftables.

The first patch is join, I have changed with -Z uppercase option, and
updated the man page.
« xtables-save » is also updated.

Output examples :

iptables-save -Z
# Generated by iptables-save v1.6.2 on Mon Mar 12 23:30:16 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
(...)

xtables-multi save4 -Z
# Generated by iptables-save v1.6.2 on Mon Mar 12 23:30:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
(...)

>> 2) Adding -h or --help option: print help/usage (inspired by manpage)
> Fine, but place this in a separated patch, no need for common file.
> Don't bother about copy and paste.

I send you the second patch for -h option after you are pushed the first.

>> diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
>> index 8e3a6afd..466ce0ce 100644
>> --- a/iptables/ip6tables-save.c
>> +++ b/iptables/ip6tables-save.c
>> @@ -3,6 +3,8 @@
>>   * Original code: iptables-save
>>   * Authors: Paul 'Rusty' Russel <rusty@xxxxxxxxxxxxxxxx> and
>>   *          Harald Welte <laforge@xxxxxxxxxxxx>
>> + * Contributor: Alban Vidal <alban.vidal@xxxxxxxxxx>
> These days, git already registers this, previous lines are just there
> for historical reasons. So please, remove this.
It's done ! Removed from source code.

Best regards,
Alban Vidal

Attachment: iptables-save_patch1.tar.gz
Description: application/gzip

diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index 8e3a6afd..a94beffc 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -19,11 +19,15 @@
 #include "ip6tables.h"
 #include "ip6tables-multi.h"
 
-static int show_counters;
+static int show_counters = false;
+
+/* if true (opt -Z, --zero): Reset to zero counters of the chains */
+static int rst_chain_counters = false;
 
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
+	{.name = "zero",     .has_arg = false, .val = 'Z'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{.name = "file",     .has_arg = true,  .val = 'f'},
@@ -96,7 +100,13 @@ static int do_output(const char *tablename)
 			struct xt_counters count;
 			printf("%s ",
 			       ip6tc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			if (!rst_chain_counters) {
+				/* Default value, print count */
+				printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			} else {
+				/* Reset to zero counters of the chains */
+				printf("[0:0]\n");
+			}
 		} else {
 			printf("- [0:0]\n");
 		}
@@ -146,15 +156,17 @@ int ip6tables_save_main(int argc, char *argv[])
 	init_extensions6();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcZdt:M:f:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			fprintf(stderr, "-b/--binary option is not implemented\n");
 			break;
 		case 'c':
-			show_counters = 1;
+			show_counters = true;
+			break;
+		case 'Z':
+			rst_chain_counters = true;
 			break;
-
 		case 't':
 			/* Select specific table. */
 			tablename = optarg;
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 51e11f3e..200d6448 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -24,10 +24,10 @@ iptables-save \(em dump iptables rules
 ip6tables-save \(em dump iptables rules
 .SH SYNOPSIS
 \fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+[\fB\-Z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .P
 \fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+[\fB\-Z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
 .SH DESCRIPTION
 .PP
 .B iptables-save
@@ -45,19 +45,24 @@ Specify a filename to log the output to. If not specified, iptables-save
 will log to STDOUT.
 .TP
 \fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
+Include the current values of all packet and byte counters in the output.
+.TP
+\fB\-Z\fR, \fB\-\-zero\fR
+Reset to zero counters of the chains.
 .TP
 \fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
+Restrict output to only one table. If not specified, output includes all
 available tables.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHORS
-Harald Welte <laforge@xxxxxxxxxxxx>
+Harald Welte <laforge@xxxxxxxxxxxx>,
+.br
+Rusty Russell <rusty@xxxxxxxxxxxxxxx>,
 .br
-Rusty Russell <rusty@xxxxxxxxxxxxxxx>
+Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save,
 .br
-Andras Kis-Szabo <kisza@xxxxxxxxxx> contributed ip6tables-save.
+Alban Vidal <alban.vidal@xxxxxxxxxx> contributed ip[6]tables-save.
 .SH SEE ALSO
 \fBiptables\-restore\fP(8), \fBiptables\fP(8)
 .PP
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index d59bd34a..7e16684d 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -18,11 +18,15 @@
 #include "iptables.h"
 #include "iptables-multi.h"
 
-static int show_counters;
+static int show_counters = false;
+
+/* if true (opt -Z, --zero): Reset to zero counters of the chains */
+static int rst_chain_counters = false;
 
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
+	{.name = "zero",     .has_arg = false, .val = 'Z'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{.name = "file",     .has_arg = true,  .val = 'f'},
@@ -94,7 +98,13 @@ static int do_output(const char *tablename)
 			struct xt_counters count;
 			printf("%s ",
 			       iptc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			if (!rst_chain_counters) {
+				/* Default value, print count */
+				printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+			} else {
+				/* Reset to zero counters of the chains */
+				printf("[0:0]\n");
+			}
 		} else {
 			printf("- [0:0]\n");
 		}
@@ -145,15 +155,17 @@ iptables_save_main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:M:f:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcZdt:M:f:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			fprintf(stderr, "-b/--binary option is not implemented\n");
 			break;
 		case 'c':
-			show_counters = 1;
+			show_counters = true;
+			break;
+		case 'Z':
+			rst_chain_counters = true;
 			break;
-
 		case 't':
 			/* Select specific table. */
 			tablename = optarg;
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 5b498b04..6167bc71 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -28,9 +28,13 @@
 
 static bool show_counters = false;
 
+/* if true (opt -Z, --zero): Reset to zero counters of the chains */
+static int rst_chain_counters = false;
+
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
+	{.name = "zero",     .has_arg = false, .val = 'Z'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{.name = "file",     .has_arg = true,  .val = 'f'},
@@ -107,7 +111,7 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	while ((c = getopt_long(argc, argv, "bcdt:M:f:46", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcZdt:M:f:46", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -115,7 +119,9 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
 		case 'c':
 			show_counters = true;
 			break;
-
+		case 'Z':
+			rst_chain_counters = true;
+			break;
 		case 't':
 			/* Select specific table. */
 			tablename = optarg;
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux