[PATCH] iptables-batch

[Ludwig Nussel <ludwig.nussel@suse.de>]

[-- Attachment #1: Type: text/plain, Size: 7297 bytes --]

Hi,

Shell scripts that need to generate a lot of filter rules spend
quite some time forking iptables. The following patch implements
"iptables-batch" and "ip6tables-batch" commands which read the rules
to setup from a file. That's basically the same as iptables-restore
since the hard work is done by do_command() anyways but the file
format is exactly the same as when calling iptables from the shell,
without special additional key words. Therefore all you have to do
to make an existing shell script use iptables-batch is replacing
"iptables" with "echo iptables", redirect the output to a file and
run iptables-batch on it (for more complicated scripts use a shell
function that adds quotes around arguments to protect spaces).

cu
Ludwig


Index: iptables-1.2.9/iptables-batch.c
===================================================================
--- /dev/null
+++ iptables-1.2.9/iptables-batch.c
@@ -0,0 +1,280 @@
+/*
+ * Author: Ludwig Nussel <ludwig.nussel@suse.de>
+ *
+ * Based on the ipchains code by Paul Russell and Michael Neuling
+ *
+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
+ * 		    Paul 'Rusty' Russell <rusty@rustcorp.com.au>
+ * 		    Marc Boucher <marc+nf@mbsi.ca>
+ * 		    James Morris <jmorris@intercode.com.au>
+ * 		    Harald Welte <laforge@gnumonks.org>
+ * 		    Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ *	iptables -- IP firewall administration for kernels with
+ *	firewall table (aimed for the 2.3 kernels)
+ *
+ *	See the accompanying manual page iptables(8) for information
+ *	about proper usage of this program.
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License as published by
+ *	the Free Software Foundation; either version 2 of the License, or
+ *	(at your option) any later version.
+ *
+ *	This program is distributed in the hope that it will be useful,
+ *	but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *	GNU General Public License for more details.
+ *
+ *	You should have received a copy of the GNU General Public License
+ *	along with this program; if not, write to the Free Software
+ *	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#ifdef IP6T_LIB_DIR
+#include <ip6tables.h>
+#else
+#include <iptables.h>
+#endif
+
+static char* errstr = NULL;
+
+static char*
+skipspace(char* ptr)
+{
+	while(*ptr && isspace(*ptr))
+		++ptr;
+	return ptr;
+}
+
+static char*
+getliteral(char** ptr)
+{
+	char* start = *ptr;
+	char* p = start;
+
+	while(*p && !isspace(*p))
+		++p;
+
+	if(*p)
+	{
+		*p = '\0';
+		++p;
+	}
+
+	*ptr = p;
+	return start;
+}
+
+static char*
+getstring(char** ptr)
+{
+	char* start = *ptr+1; // skip leading "
+	char* p = start;
+	char* o = start;
+	int backslash = 0;
+	int done = 0;
+
+	while(*p && !done)
+	{
+		if(backslash)
+		{
+			backslash = 0;
+			// no escapes supported, just eat the backslash
+			*o++ = *p++;
+		}
+		else if(*p == '\\')
+		{
+			backslash = 1;
+			p++;
+		}
+		else if(*p == '"')
+		{
+			done = 1;
+		}
+		else
+		{
+			*o++ = *p++;
+		}
+	}
+
+	if(done)
+	{
+		*o = '\0';
+		*p = '\0';
+		++p;
+		*ptr = p;
+	}
+	else
+	{
+		errstr = "missing \" at end of string";
+		start = NULL;
+	}
+	return start;
+}
+
+static char*
+getword(char** ptr)
+{
+	*ptr = skipspace(*ptr);
+	if(**ptr == '"')
+		return getstring(ptr);
+	return getliteral(ptr);
+}
+
+// destructive
+static int
+tokenize(int* argc, char* argv[], size_t nargvsize, char* line)
+{
+	char* ptr = skipspace(line);
+	int ret = 0;
+	char* word;
+
+	while(ptr && *ptr)
+	{
+		if(*ptr == '#')
+			break;
+		if(*argc >= nargvsize)
+		{
+			errstr = "too many arguments";
+			ret = -1;
+			break;
+		}
+		word = getword(&ptr);
+		if(!word)
+		{
+			ret = -1;
+			break;
+		}
+		argv[(*argc)++] = word;
+		++ret;
+	}
+	return ret;
+}
+
+static void
+dumpargv(int argc, char* argv[])
+{
+	int i;
+	for(i=0; i < argc; ++i)
+	{
+		printf("%s\"%s\"",i?" ":"", argv[i]);
+	}
+	puts("");
+}
+
+static int
+do_iptables(unsigned lineno, int argc, char* argv[])
+{
+	char *table = "filter";
+	int ret = 0;
+
+#ifdef IP6T_LIB_DIR
+	if(!strcmp(argv[0], "ip6tables"))
+	{
+		ip6tc_handle_t handle = NULL;
+		ret = do_command6(argc, argv, &table, &handle);
+		if (ret)
+			ret = ip6tc_commit(&handle);
+
+		if (!ret)
+			fprintf(stderr, "line %d: %s\n", lineno, ip6tc_strerror(errno));
+	}
+#else
+	if(!strcmp(argv[0], "iptables"))
+	{
+		iptc_handle_t handle = NULL;
+
+		ret = do_command(argc, argv, &table, &handle);
+		if (ret)
+			ret = iptc_commit(&handle);
+
+		if (!ret)
+			fprintf(stderr, "line %d: %s\n", lineno, iptc_strerror(errno));
+	}
+#endif
+	else
+	{
+		fprintf(stderr, "line %d: invalid command '%s'\n", lineno, argv[0]);
+	}
+
+	return ret;
+}
+
+int
+main(int argc, char *argv[])
+{
+	int ret = 1;
+	size_t llen = 0;
+	char* line = NULL;
+	ssize_t r = -1;
+	int nargc = 0;
+	char* nargv[256];
+	unsigned lineno = 0;
+	FILE* fp = stdin;
+
+#ifdef IP6T_LIB_DIR
+	program_name = "ip6tables-batch";
+#else
+	program_name = "iptables-batch";
+#endif
+	program_version = IPTABLES_VERSION;
+
+#ifdef NO_SHARED_LIBS
+	init_extensions();
+#endif
+	if(argc > 1)
+	{
+		fp = fopen(argv[1], "r");
+		if(!fp)
+		{
+			perror("fopen");
+			exit(1);
+		}
+	}
+
+	while((r = getline(&line, &llen, fp)) != -1)
+	{
+		if(llen < 1)
+			continue;
+		if(line[strlen(line)-1] == '\n')
+			line[strlen(line) -1 ] = '\0';
+
+		++lineno;
+		nargc = 0;
+		errstr = NULL;
+		ret = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), line);
+		if(ret == -1)
+		{
+		}
+		else if (ret == 0)
+		{
+			continue;
+		}
+		else if(nargc < 2)
+		{
+			errstr = "not enough arguments";
+		}
+
+		if(errstr)
+		{
+			fprintf(stderr, "parse error in line %d: %s\n", lineno, errstr);
+			ret = 0;
+			break;
+		}
+
+		ret = do_iptables(lineno, nargc, nargv);
+		if(!ret) break;
+		//dumpargv(nargc, nargv);
+
+	}
+
+	exit(!ret);
+}
Index: iptables-1.2.9/Makefile
===================================================================
--- iptables-1.2.9.orig/Makefile
+++ iptables-1.2.9/Makefile
@@ -102,6 +102,12 @@
 iptables: iptables-standalone.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
 	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
+iptables-batch: iptables-batch.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
+	$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+ip6tables-batch: iptables-batch.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a
+	$(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
 $(DESTDIR)$(BINDIR)/iptables: iptables
 	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
 	cp $< $@

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX AG, Development
 V_/_  http://www.suse.de/

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]