From: "Maciej Żenczykowski" <zenczykowski@gmail.com>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: netfilter-devel@vger.kernel.org, "Maciej Żenczykowski" <maze@google.com>
Subject: [PATCH 2/5] Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
Date: Mon, 18 Apr 2011 18:23:50 -0700 [thread overview]
Message-ID: <1303176233-14063-2-git-send-email-zenczykowski@gmail.com> (raw)
In-Reply-To: <BANLkTikeSwL=TU9nPFsUJeLXTHnPdu5BUg@mail.gmail.com>
From: Maciej Żenczykowski <maze@google.com>
This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.
Example:
iptables-restore config
ip6tables-restore config
Where the file 'config' contains:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ssh - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -6 -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
-A ssh -j ACCEPT
COMMIT
Signed-off-by: Maciej Zenczykowski <maze@google.com>
---
ip6tables.c | 16 +++++++++++++++-
iptables.c | 15 ++++++++++++++-
2 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/ip6tables.c b/ip6tables.c
index f9909f1..8d73641 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -124,6 +124,8 @@ static struct option original_opts[] = {
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "set-counters", .has_arg = 1, .val = 'c'},
{.name = "goto", .has_arg = 1, .val = 'g'},
+ {.name = "ipv4", .has_arg = 0, .val = '4'},
+ {.name = "ipv6", .has_arg = 0, .val = '6'},
{NULL},
};
@@ -248,6 +250,8 @@ exit_printhelp(const struct xtables_rule_match *matches)
" Change chain name, (moving any references)\n"
"Options:\n"
+" --ipv4 -4 Error (line is ignored by ip6tables-restore)\n"
+" --ipv6 -6 Nothing (line is ignored by iptables-restore)\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
"[!] --source -s address[/mask][,...]\n"
" source specification\n"
@@ -1439,7 +1443,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
opts = xt_params->orig_opts;
while ((cs.c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
opts, NULL)) != -1) {
switch (cs.c) {
/*
@@ -1756,6 +1760,16 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
cs.fw6.counters.bcnt = cnt;
break;
+ case '4':
+ /* This is not the IPv4 iptables */
+ if (line != -1) return 1; /* success: line ignored */
+ fprintf(stderr, "This is the IPv6 version of ip6tables.\n");
+ exit_tryhelp(2);
+
+ case '6':
+ /* This is indeed the IPv6 ip6tables */
+ break;
+
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
if (cs.invert)
diff --git a/iptables.c b/iptables.c
index 0441dce..523454d 100644
--- a/iptables.c
+++ b/iptables.c
@@ -123,6 +123,8 @@ static struct option original_opts[] = {
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "set-counters", .has_arg = 1, .val = 'c'},
{.name = "goto", .has_arg = 1, .val = 'g'},
+ {.name = "ipv4", .has_arg = 0, .val = '4'},
+ {.name = "ipv6", .has_arg = 0, .val = '6'},
{NULL},
};
@@ -261,6 +263,8 @@ exit_printhelp(const struct xtables_rule_match *matches)
" Change chain name, (moving any references)\n"
"Options:\n"
+" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n"
+" --ipv6 -6 Error (line is ignored by iptables-restore)\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
"[!] --source -s address[/mask][...]\n"
" source specification\n"
@@ -1467,7 +1471,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
opts = xt_params->orig_opts;
while ((cs.c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
opts, NULL)) != -1) {
switch (cs.c) {
/*
@@ -1782,6 +1786,15 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
cs.fw.counters.bcnt = cnt;
break;
+ case '4':
+ /* This is indeed the IPv4 iptables */
+ break;
+
+ case '6':
+ /* This is not the IPv6 ip6tables */
+ if (line != -1) return 1; /* success: line ignored */
+ fprintf(stderr, "This is the IPv4 version of iptables.\n");
+ exit_tryhelp(2);
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
--
1.7.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-04-19 1:24 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-19 1:22 Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 1/5] Don't load ip6?_tables module when already loaded Maciej Żenczykowski
2011-04-19 7:03 ` Patrick McHardy
2011-04-19 7:10 ` [PATCH] " Maciej Żenczykowski
2011-04-19 7:14 ` Patrick McHardy
2011-04-19 1:23 ` Maciej Żenczykowski [this message]
2011-04-19 7:17 ` [PATCH 2/5] Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore} Patrick McHardy
2011-04-19 7:32 ` Maciej Żenczykowski
2011-04-19 7:33 ` Patrick McHardy
2011-04-19 1:23 ` [PATCH 3/5] Move common parts of libext{4,6}.a into libext.a Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 4/5] combine ip6?tables-multi into xtables-multi Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 5/5] add xtables-multi{32,64} recognition Maciej Żenczykowski
2011-04-19 7:18 ` Patrick McHardy
2011-04-19 7:29 ` Maciej Żenczykowski
2011-04-19 7:32 ` Patrick McHardy
2011-04-19 7:55 ` Jan Engelhardt
2011-04-19 8:55 ` Maciej Żenczykowski
2011-04-20 1:44 ` Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Maciej Żenczykowski
2011-04-20 1:44 ` [PATCH 1/3] Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore} Maciej Żenczykowski
2011-04-20 1:44 ` [PATCH 2/3] Move common parts of libext{4,6}.a into libext.a Maciej Żenczykowski
2011-04-20 1:44 ` [PATCH 3/3] combine ip6?tables-multi into xtables-multi Maciej Żenczykowski
2011-04-21 9:16 ` Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1303176233-14063-2-git-send-email-zenczykowski@gmail.com \
--to=zenczykowski@gmail.com \
--cc=maze@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.