[pkg-netfilter-team] Bug#886793: iptables-save: add reset chains counters and add help
Alban Vidal
alban.vidal at zordhak.fr
Tue Jan 9 22:14:24 UTC 2018
Package: iptables
Version: 1.6.1-2~bpo9+1
Severity: wishlist
Tags: patch
Dear Maintainers,
Please find attached a suggest patch to add functionality in iptables-save.
-------------------------------------------------------------------------------
1) Adding -z or --zero option: Reset to zero counters of the chains.
Example whithout:
iptables-save
# Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:51 2018
*nat
:PREROUTING ACCEPT [923:217673]
:INPUT ACCEPT [309:97481]
(...)
Example whith:
iptables-save -z
# Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:26 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
(...)
-------------------------------------------------------------------------------
2) Adding -h or --help option: print help/usage (inspired by manpage)
Content:
iptables-save -h
iptables-save and ip6tables-save are provides from iptables package — version 1.6.1
iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.
Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table]
ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table]
Options:
Either long or short options are allowed.
-h, --help
Print this help usage.
-M, --modprobe modprobe_program
Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/mod‐probe to determine the executable's path.
-c, --counters
Include the current values of all packet and byte counters in the output.
-z, --zero
Reset to zero counters of the chains.
-t, --table tablename
Restrict output to only one table. If not specified, output includes all available tables.
-------------------------------------------------------------------------------
3) Layout layout: uppercase, dot...
Best regards,
Alban Vidal
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -pruN a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
--- a/iptables/ip6tables-save.c 2018-01-09 18:16:41.165710952 +0100
+++ b/iptables/ip6tables-save.c 2018-01-09 21:31:38.547256947 +0100
@@ -3,6 +3,9 @@
* Original code: iptables-save
* Authors: Paul 'Rusty' Russel <rusty at linuxcare.com.au> and
* Harald Welte <laforge at gnumonks.org>
+ * Contributor:
+ * (C) 2018 by Alban Vidal <alban.vidal at zordhak.fr>
+ *
* This code is distributed under the terms of GNU GPL v2
*/
#include <getopt.h>
@@ -17,17 +20,12 @@
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
#include "ip6tables-multi.h"
+#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */
static int show_counters = 0;
-static const struct option options[] = {
- {.name = "counters", .has_arg = false, .val = 'c'},
- {.name = "dump", .has_arg = false, .val = 'd'},
- {.name = "table", .has_arg = true, .val = 't'},
- {.name = "modprobe", .has_arg = true, .val = 'M'},
- {NULL},
-};
-
+/* if = 1 (opt -z): Reset to zero counters of the chains */
+static int rst_chain_counters = 0;
/* Debugging prototype. */
static int for_each_table(int (*func)(const char *tablename))
@@ -94,7 +92,10 @@ static int do_output(const char *tablena
struct xt_counters count;
printf("%s ",
ip6tc_get_policy(chain, &count, h));
- printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+ if (rst_chain_counters > 0)
+ printf("[0:0]\n"); /* Reset to zero counters of the chains */
+ else
+ printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
} else {
printf("- [0:0]\n");
}
@@ -143,7 +144,7 @@ int ip6tables_save_main(int argc, char *
init_extensions6();
#endif
- while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bhcdzt:M:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -151,14 +152,20 @@ int ip6tables_save_main(int argc, char *
case 'c':
show_counters = 1;
break;
-
case 't':
/* Select specific table. */
tablename = optarg;
break;
+ case 'h':
+ /* Print Help and quit */
+ print_help_usage();
+ break;
case 'M':
xtables_modprobe_program = optarg;
break;
+ case 'z':
+ rst_chain_counters = 1;
+ break;
case 'd':
do_output(tablename);
exit(0);
diff -pruN a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
--- a/iptables/iptables-save.8.in 2018-01-09 18:16:41.165710952 +0100
+++ b/iptables/iptables-save.8.in 2018-01-09 22:56:45.491670256 +0100
@@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules t
.P
ip6tables-save \(em dump iptables rules to stdout
.SH SYNOPSIS
-\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+\fBiptables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-z\fP] [\fB\-t\fP \fItable\fP]
.P
-\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+\fBip6tables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
+[\fB\-z\fP] [\fB\-t\fP \fItable\fP]
.SH DESCRIPTION
.PP
.B iptables-save
@@ -36,24 +36,32 @@ and
are used to dump the contents of IP or IPv6 Table in easily parseable format
to STDOUT. Use I/O-redirection provided by your shell to write to a file.
.TP
+\fB\-h\fR, \fB\-\-help\fR
+Print help usage and quit.
+.TP
\fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP
Specify the path to the modprobe program. By default, iptables-save will
inspect /proc/sys/kernel/modprobe to determine the executable's path.
.TP
\fB\-c\fR, \fB\-\-counters\fR
-include the current values of all packet and byte counters in the output
+Include the current values of all packet and byte counters in the output.
+.TP
+\fB\-z\fR, \fB\-\-zero\fR
+Reset to zero counters of the chains.
.TP
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
-restrict output to only one table. If not specified, output includes all
+Restrict output to only one table. If not specified, output includes all
available tables.
.SH BUGS
-None known as of iptables-1.2.1 release
+None known as of iptables-1.2.1 release.
.SH AUTHORS
-Harald Welte <laforge at gnumonks.org>
+Harald Welte <laforge at gnumonks.org>,
+.br
+Rusty Russell <rusty at rustcorp.com.au>,
.br
-Rusty Russell <rusty at rustcorp.com.au>
+Andras Kis-Szabo <kisza at sch.bme.hu> contributed ip6tables-save,
.br
-Andras Kis-Szabo <kisza at sch.bme.hu> contributed ip6tables-save.
+Alban Vidal <alban.vidal at zordhak.fr> contributed ip[6]tables-save.
.SH SEE ALSO
\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
.PP
diff -pruN a/iptables/iptables-save.c b/iptables/iptables-save.c
--- a/iptables/iptables-save.c 2018-01-09 18:16:41.165710952 +0100
+++ b/iptables/iptables-save.c 2018-01-09 21:33:49.671881627 +0100
@@ -1,6 +1,8 @@
/* Code to save the iptables state, in human readable-form. */
/* (C) 1999 by Paul 'Rusty' Russell <rusty at rustcorp.com.au> and
* (C) 2000-2002 by Harald Welte <laforge at gnumonks.org>
+ * Contributor:
+ * (C) 2018 by Alban Vidal <alban.vidal at zordhak.fr>
*
* This code is distributed under the terms of GNU GPL v2
*
@@ -16,16 +18,12 @@
#include "libiptc/libiptc.h"
#include "iptables.h"
#include "iptables-multi.h"
+#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */
static int show_counters = 0;
-static const struct option options[] = {
- {.name = "counters", .has_arg = false, .val = 'c'},
- {.name = "dump", .has_arg = false, .val = 'd'},
- {.name = "table", .has_arg = true, .val = 't'},
- {.name = "modprobe", .has_arg = true, .val = 'M'},
- {NULL},
-};
+/* if = 1 (opt -z): Reset to zero counters of the chains */
+static int rst_chain_counters = 0;
/* Debugging prototype. */
static int for_each_table(int (*func)(const char *tablename))
@@ -92,7 +90,10 @@ static int do_output(const char *tablena
struct xt_counters count;
printf("%s ",
iptc_get_policy(chain, &count, h));
- printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+ if (rst_chain_counters > 0)
+ printf("[0:0]\n"); /* Reset to zero counters of the chains */
+ else
+ printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
} else {
printf("- [0:0]\n");
}
@@ -142,7 +143,7 @@ iptables_save_main(int argc, char *argv[
init_extensions4();
#endif
- while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bhcdzt:M:", options, NULL)) != -1) {
switch (c) {
case 'b':
fprintf(stderr, "-b/--binary option is not implemented\n");
@@ -150,14 +151,20 @@ iptables_save_main(int argc, char *argv[
case 'c':
show_counters = 1;
break;
-
case 't':
/* Select specific table. */
tablename = optarg;
break;
+ case 'h':
+ /* Print Help and quit */
+ print_help_usage();
+ break;
case 'M':
xtables_modprobe_program = optarg;
break;
+ case 'z':
+ rst_chain_counters = 1;
+ break;
case 'd':
do_output(tablename);
exit(0);
diff -pruN /dev/null b/iptables/ipXtables-save-common.c
--- /dev/null
+++ b/iptables/ipXtables-save-common.c 2018-01-09 22:45:22.160404840 +0100
@@ -0,0 +1,59 @@
+/* Common code for iptables-save.c and ip6tables-save.c */
+/* (C) 2018 by Alban Vidal <alban.vidal at zordhak.fr>
+ *
+ * This code is distributed under the terms of GNU GPL v2
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h> /* struct option */
+#include <stdbool.h> /* true/false */
+
+/* Summary help usage */
+static void print_help_usage()
+{
+ printf(
+ "iptables-save and ip6tables-save are provides from iptables package — version %s\n"
+ "\n"
+ "iptables-save and ip6tables-save are used to dump the contents of IP or "
+ "IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection "
+ "provided by your shell to write to a file.\n"
+ "\n"
+ "Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table]\n"
+ " ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table]\n"
+ "\n"
+ "Options:\n"
+ "Either long or short options are allowed.\n"
+ "\n"
+ " -h, --help\n"
+ " Print this help usage.\n"
+ "\n"
+ " -M, --modprobe modprobe_program\n"
+ " Specify the path to the modprobe program. By default, iptables-save "
+ "will inspect /proc/sys/kernel/mod‐probe to determine the executable's path.\n"
+ "\n"
+ " -c, --counters\n"
+ " Include the current values of all packet and byte counters in the output.\n"
+ "\n"
+ " -z, --zero\n"
+ " Reset to zero counters of the chains.\n"
+ "\n"
+ " -t, --table tablename\n"
+ " Restrict output to only one table. If not specified, output includes "
+ "all available tables.\n"
+ , IPTABLES_VERSION
+ );
+
+ exit(0);
+}
+
+static const struct option options[] = {
+ {.name = "help", .has_arg = false, .val = 'h'},
+ {.name = "counters", .has_arg = false, .val = 'c'},
+ {.name = "dump", .has_arg = false, .val = 'd'},
+ {.name = "zero", .has_arg = false, .val = 'z'},
+ {.name = "table", .has_arg = true, .val = 't'},
+ {.name = "modprobe", .has_arg = true, .val = 'M'},
+ {NULL},
+};
+
More information about the pkg-netfilter-team
mailing list