Hi,
- ip6tables-save and -restore updates (sync)
- ip6tables-save and -restore man pages
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-------------------------/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-----Member of the BUTE-MIS-SEARCHlab---------->
--- netfilter/userspace/ip6tables-save.c.old Sun Mar 3 01:22:33 2002
+++ netfilter/userspace/ip6tables-save.c Sun Mar 3 01:52:46 2002
@@ -17,10 +17,6 @@
#include "libiptc/libip6tc.h"
#include "ip6tables.h"
-#ifndef IP6T_LIB_DIR
-#define IP6T_LIB_DIR "/usr/local/lib/iptables"
-#endif
-
static int binary = 0, counters = 0;
static struct option options[] = {
@@ -31,8 +27,10 @@
{ 0 }
};
+/*
extern struct ip6tables_match *find_match(const char *name, enum ip6t_tryload
tryload);
extern struct ip6tables_target *find_target(const char *name, enum ip6t_tryload
tryload);
+*/
/* This assumes that mask is contiguous, and byte-bounded. */
static void
@@ -51,7 +49,9 @@
if (iface[i] != '\0')
printf("%c", iface[i]);
} else {
- if (iface[i] == '\0')
+ /* we can access iface[i-1] here, because
+ * a few lines above we make sure that mask[0] != 0 */
+ if (iface[i-1] != '\0')
printf("+");
break;
}
@@ -131,22 +131,15 @@
if (!mask && !ip)
return;
- printf("%s %s%s/",
+ printf("%s %s%s",
prefix,
invert ? "! " : "",
inet_ntop(AF_INET6, ip, buf, sizeof buf));
if (l == -1)
- printf("%s ", inet_ntop(AF_INET6, mask, buf, sizeof buf));
- else
- printf("%d ", l);
-
-#if 0
- if (mask != 0xffffffff)
- printf("/%u.%u.%u.%u ", IP_PARTS(mask));
+ printf("/%s ", inet_ntop(AF_INET6, mask, buf, sizeof buf));
else
- printf(" ");
-#endif
+ printf("/%d ", l);
}
/* We want this to be readable, so only print out neccessary fields.
@@ -180,15 +173,13 @@
print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
#if 0
- // not definied in ipv6
- // FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied?
+ /* not definied in ipv6
+ * FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */
if (e->ipv6.flags & IPT_F_FRAG)
printf("%s-f ",
e->ipv6.invflags & IP6T_INV_FRAG ? "! " : "");
#endif
- // TODO: i've got some problem with the code - under understanding ;)
- // How can I set this?
if (e->ipv6.flags & IP6T_F_TOS)
printf("%s-? %d ",
e->ipv6.invflags & IP6T_INV_TOS ? "! " : "",
@@ -201,8 +192,8 @@
/* Print target name */
target_name = ip6tc_get_target(e, h);
- if (target_name && *target_name != '\0')
- printf("-j %s ", ip6tc_get_target(e, h));
+ if (target_name && (*target_name != '\0'))
+ printf("-j %s ", target_name);
/* Print targinfo part */
t = ip6t_get_target((struct ip6t_entry *)e);
@@ -210,14 +201,22 @@
struct ip6tables_target *target
= find_target(t->u.user.name, TRY_LOAD);
- if (target)
+ if (!target) {
+ fprintf(stderr, "Can't find library for target `%s'\n",
+ t->u.user.name);
+ exit(1);
+ }
+
+ if (target->save)
target->save(&e->ipv6, t);
else {
- /* If some bits are non-zero, it implies we *need*
- to understand it */
- if (t->u.target_size) {
- fprintf(stderr,
- "Can't find library for target `%s'\n",
+ /* If the target size is greater than ip6t_entry_target
+ * there is something to be saved, we just don't know
+ * how to print it */
+ if (t->u.target_size !=
+ sizeof(struct ip6t_entry_target)) {
+ fprintf(stderr, "Target `%s' is missing "
+ "save function\n",
t->u.user.name);
exit(1);
}
@@ -287,10 +286,11 @@
}
}
+
for (chain = ip6tc_first_chain(&h);
chain;
chain = ip6tc_next_chain(&h)) {
- const struct ip6t_entry *e;
+ const struct ip6t_entry *e;
/* Dump out rules */
e = ip6tc_first_rule(chain, &h);
@@ -327,7 +327,7 @@
init_extensions();
#endif
- while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
switch (c) {
case 'b':
binary = 1;
@@ -341,7 +341,6 @@
/* Select specific table. */
tablename = optarg;
break;
-
case 'd':
do_output(tablename);
exit(0);
--- netfilter/userspace/ip6tables-save.8.old Sun Mar 3 02:03:52 2002
+++ netfilter/userspace/ip6tables-save.8 Sun Mar 3 02:09:26 2002
@@ -0,0 +1,50 @@
+.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <[EMAIL PROTECTED]>
+.\" It is based on the ipptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-save \- Save IPv6 Tables
+.SH SYNOPSIS
+.BR "ip6tables-save " "[-c] [-t table]"
+.br
+.SH DESCRIPTION
+.PP
+.B ip6tables-save
+is used to dump the contents of an IPv6 Table in easily parseable format
+to STDOUT. Use I/O-redirection provided by your shell to write to a file.
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+include the current values of all packet and byte counters in the output
+.TP
+\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR
+.TP
+restrict output to only one table. If not specified, output includes all
+available tables.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <[EMAIL PROTECTED]>
+.br
+Andras Kis-Szabo <[EMAIL PROTECTED]>
+.SH SEE ALSO
+.BR ip6tables-restore "(8), " ip6tables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
--- netfilter/userspace/ip6tables-restore.c.old Sun Mar 3 01:22:28 2002
+++ netfilter/userspace/ip6tables-restore.c Sun Mar 3 01:49:33 2002
@@ -6,6 +6,7 @@
* Harald Welte <[EMAIL PROTECTED]>
* Rusty Russell <[EMAIL PROTECTED]>
*
+ * $Id: ip6tables-restore.c,v 1.20 2002/01/17 20:43:10 laforge Exp $
*/
#include <getopt.h>
@@ -22,9 +23,11 @@
#define DEBUGP(x, args...)
#endif
+/*
extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, ip6tc_handle_t *),
int verbose, int builtinstoo, ip6tc_handle_t *handle);
extern int flush_entries(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t
*handle);
extern int delete_chain(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t
*handle);
+*/
static int binary = 0, counters = 0, verbose = 0, noflush = 0;
@@ -32,7 +35,7 @@
static struct option options[] = {
{ "binary", 0, 0, 'b' },
{ "counters", 0, 0, 'c' },
-/* { "verbose", 1, 0, 'v' }, */
+ { "verbose", 1, 0, 'v' },
{ "help", 0, 0, 'h' },
{ "noflush", 0, 0, 'n'},
{ "modprobe", 1, 0, 'M'},
@@ -61,9 +64,9 @@
handle = ip6tc_init(tablename);
if (!handle) {
- /* try to insmod the module if iptc_init failed */
- ip6tables_insmod("ip6_tables", modprobe);
- handle = ip6tc_init(tablename);
+ /* try to insmod the module if iptc_init failed */
+ ip6tables_insmod("ip6_tables", modprobe);
+ handle = ip6tc_init(tablename);
}
if (!handle) {
@@ -84,21 +87,22 @@
static int newargc;
/* function adding one argument to newargv, updating newargc
- * * returns true if argument added, false otherwise */
+ * returns true if argument added, false otherwise */
static int add_argv(char *what) {
- if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
- newargv[newargc] = strdup(what);
- newargc++;
- return 1;
- } else
- return 0;
+ DEBUGP("add_argv: %s\n", what);
+ if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) {
+ newargv[newargc] = strdup(what);
+ newargc++;
+ return 1;
+ } else
+ return 0;
}
static void free_argv(void) {
- int i;
+ int i;
- for (i = 0; i < newargc; i++)
- free(newargv[i]);
+ for (i = 0; i < newargc; i++)
+ free(newargv[i]);
}
int main(int argc, char *argv[])
@@ -126,6 +130,9 @@
case 'c':
counters = 1;
break;
+ case 'v':
+ verbose = 1;
+ break;
case 'h':
print_usage("ip6tables-restore",
NETFILTER_VERSION);
@@ -152,7 +159,7 @@
exit(1);
}
else in = stdin;
-
+
/* Grab standard input. */
while (fgets(buffer, sizeof(buffer), in)) {
int ret;
@@ -208,12 +215,12 @@
}
if (!ip6tc_builtin(chain, handle)) {
- DEBUGP("Creating new chain '%s'\n", curchain);
+ DEBUGP("Creating new chain '%s'\n", chain);
if (!ip6tc_create_chain(chain, &handle))
- exit_error(PARAMETER_PROBLEM,
- "error creating chain "
- "'%s':%s\n", chain,
- strerror(errno));
+ exit_error(PARAMETER_PROBLEM,
+ "error creating chain "
+ "'%s':%s\n", chain,
+ strerror(errno));
}
policy = strtok(NULL, " \t\n");
@@ -258,17 +265,17 @@
char *ptr = buffer;
char *pcnt = NULL;
char *bcnt = NULL;
- char *parsestart;
+ char *parsestart;
- /* the parser */
- char *param_start, *curchar;
- int quote_open;
+ /* the parser */
+ char *param_start, *curchar;
+ int quote_open;
- /* reset the newargv */
- newargc = 0;
+ /* reset the newargv */
+ newargc = 0;
if (buffer[0] == '[') {
- /* we have counters in our input */
+ /* we have counters in our input */
ptr = strchr(buffer, ']');
if (!ptr)
exit_error(PARAMETER_PROBLEM,
@@ -276,73 +283,72 @@
line);
pcnt = strtok(buffer+1, ":");
- if (!pcnt)
- exit_error(PARAMETER_PROBLEM,
- "Bad line %u: need :\n",
- line);
+ if (!pcnt)
+ exit_error(PARAMETER_PROBLEM,
+ "Bad line %u: need :\n",
+ line);
bcnt = strtok(NULL, "]");
- if (!bcnt)
- exit_error(PARAMETER_PROBLEM,
- "Bad line %u: need ]\n",
- line);
-
- /* start command parsing after counter */
- parsestart = ptr + 1;
- } else {
- /* start command parsing at start of line */
- parsestart = buffer;
- }
-
- add_argv(argv[0]);
- add_argv("-t");
- add_argv((char *) &curtable);
+ if (!bcnt)
+ exit_error(PARAMETER_PROBLEM,
+ "Bad line %u: need ]\n",
+ line);
-/* IP6TABLES doesn't support this
+ /* start command parsing after counter */
+ parsestart = ptr + 1;
+ } else {
+ /* start command parsing at start of line */
+ parsestart = buffer;
+ }
+
+ add_argv(argv[0]);
+ add_argv("-t");
+ add_argv((char *) &curtable);
+
if (counters && pcnt && bcnt) {
- newargv[5] = "--set-counters";
- newargv[6] = (char *) pcnt;
- newargv[7] = (char *) bcnt;
+ add_argv("--set-counters");
+ add_argv((char *) pcnt);
+ add_argv((char *) bcnt);
}
-*/
-
- /* After fighting with strtok enough, here's now
- * a 'real' parser. According to Rusty I'm now no
- * longer a real hacker, but I can live with that */
-
- quote_open = 0;
- param_start = parsestart;
-
- for (curchar = parsestart; *curchar; curchar++) {
- if (*curchar == '"') {
- if (quote_open) {
- quote_open = 0;
- *curchar = ' ';
- } else {
- quote_open = 1;
- param_start++;
- }
- }
- if (*curchar == ' '
- || *curchar == '\t'
- || * curchar == '\n') {
- char param_buffer[1024];
- int param_len = curchar-param_start;
-
- if (quote_open)
- continue;
-
- if (!param_len) {
- /* two spaces? */
- param_start++;
- continue;
- }
-
- /* end of one parameter */
- strncpy(param_buffer, param_start,
- param_len);
- *(param_buffer+param_len) = '\0';
+ /* After fighting with strtok enough, here's now
+ * a 'real' parser. According to Rusty I'm now no
+ * longer a real hacker, but I can live with that */
+
+ quote_open = 0;
+ param_start = parsestart;
+
+ for (curchar = parsestart; *curchar; curchar++) {
+ if (*curchar == '"') {
+ if (quote_open) {
+ quote_open = 0;
+ *curchar = ' ';
+ } else {
+ quote_open = 1;
+ param_start++;
+ }
+ }
+ if (*curchar == ' '
+ || *curchar == '\t'
+ || * curchar == '\n') {
+ char param_buffer[1024];
+ int param_len = curchar-param_start;
+
+ if (quote_open)
+ continue;
+
+ if (!param_len) {
+ /* two spaces? */
+ param_start++;
+ continue;
+ }
+
+ /* end of one parameter */
+ strncpy(param_buffer, param_start,
+ param_len);
+ *(param_buffer+param_len) = '\0';
+
+ /* check if table name specified */
if (!strncmp(param_buffer, "-t", 3)
|| !strncmp(param_buffer, "--table", 8)) {
exit_error(PARAMETER_PROBLEM,
@@ -351,23 +357,23 @@
exit(1);
}
- add_argv(param_buffer);
- param_start += param_len + 1;
- } else {
- /* regular character, skip */
- }
- }
+ add_argv(param_buffer);
+ param_start += param_len + 1;
+ } else {
+ /* regular character, skip */
+ }
+ }
DEBUGP("calling do_command6(%u, argv, &%s, handle):\n",
- newargc, curtable);
+ newargc, curtable);
- for (a = 0; a <= newargc; a++)
+ for (a = 0; a < newargc; a++)
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
ret = do_command6(newargc, newargv,
- &newargv[2], &handle);
+ &newargv[2], &handle);
- free_argv();
+ free_argv();
}
if (!ret) {
fprintf(stderr, "%s: line %u failed\n",
--- netfilter/userspace/ip6tables-restore.8.old Sun Mar 3 02:04:12 2002
+++ netfilter/userspace/ip6tables-restore.8 Sun Mar 3 02:09:38 2002
@@ -0,0 +1,51 @@
+.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" ""
+.\"
+.\" Man page written by Harald Welte <[EMAIL PROTECTED]>
+.\" It is based on the ipptables man page.
+.\"
+.\" This program is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" This program is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\"
+.SH NAME
+ip6tables-restore \- Restore IPv6 Tables
+.SH SYNOPSIS
+.BR "ip6tables-restore " "[-c] [-n]"
+.br
+.SH DESCRIPTION
+.PP
+.B ip6tables-restore
+is used to restore IPv6 Tables from data specified on STDIN. Use
+I/O redirection provided by your shell to read from a file
+.TP
+\fB\-c\fR, \fB\-\-counters\fR
+restore the values of all packet and byte counters
+.TP
+\fB\-n\fR, \fB\-\-noflush\fR
+.TP
+don't flush the previous contents of the table. If not specified,
+.B ip6tables-restore
+flushes (deletes) all previous contents of the respective IPv6 Table.
+.SH BUGS
+None known as of iptables-1.2.1 release
+.SH AUTHORS
+Harald Welte <[EMAIL PROTECTED]>
+.br
+Andras Kis-Szabo <[EMAIL PROTECTED]>
+.SH SEE ALSO
+.BR ip6tables-save "(8), " ip6tables "(8) "
+.PP
+The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
+which details NAT, and the netfilter-hacking-HOWTO which details the
+internals.
