From: Alban VIDAL <alban.vidal@xxxxxxxxxx>
Add a new '-Z' (or '--zero') option to iptables-save to show zeroed
counters for chains when saving rulesets.
This option is particularly useful when using a version control system
(like git) to track the saved iptables rules, to minimize the delta
between different ruleset versions.
The option is also added to xtables-save to keep compatibility on the
command line, however the functionality is not implemented yet.
Reviewed-by: Antonio Ospite <ao2@xxxxxx>
Signed-off-by: Alban VIDAL <alban.vidal@xxxxxxxxxx>
---
iptables/iptables-save.8.in | 7 +++++--
iptables/iptables-save.c | 12 ++++++++++--
iptables/xtables-save.c | 7 +++++--
3 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 51e11f3..76ea4ee 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -24,10 +24,10 @@ iptables-save \(em dump iptables rules
ip6tables-save \(em dump iptables rules
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+[\fB\-Z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.P
\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
+[\fB\-Z\fP] [\fB\-t\fP \fItable\fP] [\fB\-f\fP \fIfilename\fP]
.SH DESCRIPTION
.PP
.B iptables-save
@@ -47,6 +47,9 @@ will log to STDOUT.
\fB\-c\fR, \fB\-\-counters\fR
include the current values of all packet and byte counters in the output
.TP
+\fB\-Z\fR, \fB\-\-zero\fR
+Display zero packet and byte chain counters when saving the ruleset.
+.TP
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
restrict output to only one table. If not specified, output includes all
available tables.
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index 826cb1e..d20bf85 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -23,10 +23,12 @@
#include "xshared.h"
static int show_counters;
+static bool display_zero_counters;
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
+ {.name = "zero", .has_arg = false, .val = 'Z'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
@@ -104,6 +106,10 @@ static int do_output(struct iptables_save_cb *cb,
const char *tablename)
struct xt_counters count;
printf("%s ", cb->ops->get_policy(chain, &count, h));
+ if (display_zero_counters) {
+ count.pcnt = 0;
+ count.bcnt = 0;
+ }
printf("[%llu:%llu]\n",
(unsigned long long)count.pcnt,
(unsigned long long)count.bcnt);
@@ -137,7 +143,7 @@ do_iptables_save(struct iptables_save_cb *cb, int
argc, char *argv[])
FILE *file = NULL;
int ret, c;
- while ((c = getopt_long(argc, argv, "bcdt:M:f:V", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bcdZt:M:f:V", options, NULL)) !=
-1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -145,7 +151,9 @@ do_iptables_save(struct iptables_save_cb *cb, int
argc, char *argv[])
case 'c':
show_counters = 1;
break;
-
+ case 'Z':
+ display_zero_counters = true;
+ break;
case 't':
/* Select specific table. */
tablename = optarg;
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 87ebb91..cee9137 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -35,6 +35,7 @@ static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "version", .has_arg = false, .val = 'V'},
{.name = "dump", .has_arg = false, .val = 'd'},
+ {.name = "zero", .has_arg = false, .val = 'Z'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
{.name = "file", .has_arg = true, .val = 'f'},
@@ -141,7 +142,7 @@ xtables_save_main(int family, const char *progname,
int argc, char *argv[])
exit(1);
}
- while ((c = getopt_long(argc, argv, "bcdt:M:f:46V", options, NULL)) !=
-1) {
+ while ((c = getopt_long(argc, argv, "bcdZt:M:f:46V", options, NULL))
!= -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -149,7 +150,9 @@ xtables_save_main(int family, const char *progname,
int argc, char *argv[])
case 'c':
show_counters = true;
break;
-
+ case 'Z':
+ fprintf(stderr, "-Z/--zero option is not implemented yet\n");
+ break;
case 't':
/* Select specific table. */
tablename = optarg;
--
2.20.1
