Package: iptables Version: 1.6.1-2~bpo9+1 Severity: wishlist Tags: patch Dear Maintainers, Please find attached a suggest patch to add functionality in iptables-save.
------------------------------------------------------------------------------- 1) Adding -z or --zero option: Reset to zero counters of the chains. Example whithout: iptables-save # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:51 2018 *nat :PREROUTING ACCEPT [923:217673] :INPUT ACCEPT [309:97481] (...) Example whith: iptables-save -z # Generated by iptables-save v1.6.1 on Tue Jan 9 21:42:26 2018 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] (...) ------------------------------------------------------------------------------- 2) Adding -h or --help option: print help/usage (inspired by manpage) Content: iptables-save -h iptables-save and ip6tables-save are provides from iptables package — version 1.6.1 iptables-save and ip6tables-save are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table] ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table] Options: Either long or short options are allowed. -h, --help Print this help usage. -M, --modprobe modprobe_program Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/mod‐probe to determine the executable's path. -c, --counters Include the current values of all packet and byte counters in the output. -z, --zero Reset to zero counters of the chains. -t, --table tablename Restrict output to only one table. If not specified, output includes all available tables. ------------------------------------------------------------------------------- 3) Layout layout: uppercase, dot... Best regards, Alban Vidal -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -pruN a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c --- a/iptables/ip6tables-save.c 2018-01-09 18:16:41.165710952 +0100 +++ b/iptables/ip6tables-save.c 2018-01-09 21:31:38.547256947 +0100 @@ -3,6 +3,9 @@ * Original code: iptables-save * Authors: Paul 'Rusty' Russel <ru...@linuxcare.com.au> and * Harald Welte <lafo...@gnumonks.org> + * Contributor: + * (C) 2018 by Alban Vidal <alban.vi...@zordhak.fr> + * * This code is distributed under the terms of GNU GPL v2 */ #include <getopt.h> @@ -17,17 +20,12 @@ #include "libiptc/libip6tc.h" #include "ip6tables.h" #include "ip6tables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ static int show_counters = 0; -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {NULL}, -}; - +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -94,7 +92,10 @@ static int do_output(const char *tablena struct xt_counters count; printf("%s ", ip6tc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -143,7 +144,7 @@ int ip6tables_save_main(int argc, char * init_extensions6(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -151,14 +152,20 @@ int ip6tables_save_main(int argc, char * case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'd': do_output(tablename); exit(0); diff -pruN a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in --- a/iptables/iptables-save.8.in 2018-01-09 18:16:41.165710952 +0100 +++ b/iptables/iptables-save.8.in 2018-01-09 22:56:45.491670256 +0100 @@ -23,11 +23,11 @@ iptables-save \(em dump iptables rules t .P ip6tables-save \(em dump iptables rules to stdout .SH SYNOPSIS -\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] +\fBiptables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] .P -\fBip6tables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] -[\fB\-t\fP \fItable\fP] +\fBip6tables\-save\fP [\fB\-h\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP] +[\fB\-z\fP] [\fB\-t\fP \fItable\fP] .SH DESCRIPTION .PP .B iptables-save @@ -36,24 +36,32 @@ and are used to dump the contents of IP or IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file. .TP +\fB\-h\fR, \fB\-\-help\fR +Print help usage and quit. +.TP \fB\-M\fR, \fB\-\-modprobe\fR \fImodprobe_program\fP Specify the path to the modprobe program. By default, iptables-save will inspect /proc/sys/kernel/modprobe to determine the executable's path. .TP \fB\-c\fR, \fB\-\-counters\fR -include the current values of all packet and byte counters in the output +Include the current values of all packet and byte counters in the output. +.TP +\fB\-z\fR, \fB\-\-zero\fR +Reset to zero counters of the chains. .TP \fB\-t\fR, \fB\-\-table\fR \fItablename\fP -restrict output to only one table. If not specified, output includes all +Restrict output to only one table. If not specified, output includes all available tables. .SH BUGS -None known as of iptables-1.2.1 release +None known as of iptables-1.2.1 release. .SH AUTHORS -Harald Welte <lafo...@gnumonks.org> +Harald Welte <lafo...@gnumonks.org>, +.br +Rusty Russell <ru...@rustcorp.com.au>, .br -Rusty Russell <ru...@rustcorp.com.au> +Andras Kis-Szabo <ki...@sch.bme.hu> contributed ip6tables-save, .br -Andras Kis-Szabo <ki...@sch.bme.hu> contributed ip6tables-save. +Alban Vidal <alban.vi...@zordhak.fr> contributed ip[6]tables-save. .SH SEE ALSO \fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8) .PP diff -pruN a/iptables/iptables-save.c b/iptables/iptables-save.c --- a/iptables/iptables-save.c 2018-01-09 18:16:41.165710952 +0100 +++ b/iptables/iptables-save.c 2018-01-09 21:33:49.671881627 +0100 @@ -1,6 +1,8 @@ /* Code to save the iptables state, in human readable-form. */ /* (C) 1999 by Paul 'Rusty' Russell <ru...@rustcorp.com.au> and * (C) 2000-2002 by Harald Welte <lafo...@gnumonks.org> + * Contributor: + * (C) 2018 by Alban Vidal <alban.vi...@zordhak.fr> * * This code is distributed under the terms of GNU GPL v2 * @@ -16,16 +18,12 @@ #include "libiptc/libiptc.h" #include "iptables.h" #include "iptables-multi.h" +#include "ipXtables-save-common.c" /* Common code for iptables-save.c and ip6tables-save.c */ static int show_counters = 0; -static const struct option options[] = { - {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "dump", .has_arg = false, .val = 'd'}, - {.name = "table", .has_arg = true, .val = 't'}, - {.name = "modprobe", .has_arg = true, .val = 'M'}, - {NULL}, -}; +/* if = 1 (opt -z): Reset to zero counters of the chains */ +static int rst_chain_counters = 0; /* Debugging prototype. */ static int for_each_table(int (*func)(const char *tablename)) @@ -92,7 +90,10 @@ static int do_output(const char *tablena struct xt_counters count; printf("%s ", iptc_get_policy(chain, &count, h)); - printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); + if (rst_chain_counters > 0) + printf("[0:0]\n"); /* Reset to zero counters of the chains */ + else + printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt); } else { printf("- [0:0]\n"); } @@ -142,7 +143,7 @@ iptables_save_main(int argc, char *argv[ init_extensions4(); #endif - while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bhcdzt:M:", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -150,14 +151,20 @@ iptables_save_main(int argc, char *argv[ case 'c': show_counters = 1; break; - case 't': /* Select specific table. */ tablename = optarg; break; + case 'h': + /* Print Help and quit */ + print_help_usage(); + break; case 'M': xtables_modprobe_program = optarg; break; + case 'z': + rst_chain_counters = 1; + break; case 'd': do_output(tablename); exit(0); diff -pruN /dev/null b/iptables/ipXtables-save-common.c --- /dev/null +++ b/iptables/ipXtables-save-common.c 2018-01-09 22:45:22.160404840 +0100 @@ -0,0 +1,59 @@ +/* Common code for iptables-save.c and ip6tables-save.c */ +/* (C) 2018 by Alban Vidal <alban.vi...@zordhak.fr> + * + * This code is distributed under the terms of GNU GPL v2 + */ + +#include <stdio.h> +#include <stdlib.h> +#include <getopt.h> /* struct option */ +#include <stdbool.h> /* true/false */ + +/* Summary help usage */ +static void print_help_usage() +{ + printf( + "iptables-save and ip6tables-save are provides from iptables package — version %s\n" + "\n" + "iptables-save and ip6tables-save are used to dump the contents of IP or " + "IPv6 Table in easily parseable format to STDOUT. Use I/O-redirection " + "provided by your shell to write to a file.\n" + "\n" + "Usage: iptables-save [-h] [-M modprobe] [-c] [-z] [-t table]\n" + " ip6tables-save [-h] [-M modprobe] [-c] [-z] [-t table]\n" + "\n" + "Options:\n" + "Either long or short options are allowed.\n" + "\n" + " -h, --help\n" + " Print this help usage.\n" + "\n" + " -M, --modprobe modprobe_program\n" + " Specify the path to the modprobe program. By default, iptables-save " + "will inspect /proc/sys/kernel/mod‐probe to determine the executable's path.\n" + "\n" + " -c, --counters\n" + " Include the current values of all packet and byte counters in the output.\n" + "\n" + " -z, --zero\n" + " Reset to zero counters of the chains.\n" + "\n" + " -t, --table tablename\n" + " Restrict output to only one table. If not specified, output includes " + "all available tables.\n" + , IPTABLES_VERSION + ); + + exit(0); +} + +static const struct option options[] = { + {.name = "help", .has_arg = false, .val = 'h'}, + {.name = "counters", .has_arg = false, .val = 'c'}, + {.name = "dump", .has_arg = false, .val = 'd'}, + {.name = "zero", .has_arg = false, .val = 'z'}, + {.name = "table", .has_arg = true, .val = 't'}, + {.name = "modprobe", .has_arg = true, .val = 'M'}, + {NULL}, +}; +