* [PATCH] iptables-batch
@ 2004-09-06 16:24 Ludwig Nussel
0 siblings, 0 replies; only message in thread
From: Ludwig Nussel @ 2004-09-06 16:24 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 7297 bytes --]
Hi,
Shell scripts that need to generate a lot of filter rules spend
quite some time forking iptables. The following patch implements
"iptables-batch" and "ip6tables-batch" commands which read the rules
to setup from a file. That's basically the same as iptables-restore
since the hard work is done by do_command() anyways but the file
format is exactly the same as when calling iptables from the shell,
without special additional key words. Therefore all you have to do
to make an existing shell script use iptables-batch is replacing
"iptables" with "echo iptables", redirect the output to a file and
run iptables-batch on it (for more complicated scripts use a shell
function that adds quotes around arguments to protect spaces).
cu
Ludwig
Index: iptables-1.2.9/iptables-batch.c
===================================================================
--- /dev/null
+++ iptables-1.2.9/iptables-batch.c
@@ -0,0 +1,280 @@
+/*
+ * Author: Ludwig Nussel <ludwig.nussel@suse.de>
+ *
+ * Based on the ipchains code by Paul Russell and Michael Neuling
+ *
+ * (C) 2000-2002 by the netfilter coreteam <coreteam@netfilter.org>:
+ * Paul 'Rusty' Russell <rusty@rustcorp.com.au>
+ * Marc Boucher <marc+nf@mbsi.ca>
+ * James Morris <jmorris@intercode.com.au>
+ * Harald Welte <laforge@gnumonks.org>
+ * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * iptables -- IP firewall administration for kernels with
+ * firewall table (aimed for the 2.3 kernels)
+ *
+ * See the accompanying manual page iptables(8) for information
+ * about proper usage of this program.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#ifdef IP6T_LIB_DIR
+#include <ip6tables.h>
+#else
+#include <iptables.h>
+#endif
+
+static char* errstr = NULL;
+
+static char*
+skipspace(char* ptr)
+{
+ while(*ptr && isspace(*ptr))
+ ++ptr;
+ return ptr;
+}
+
+static char*
+getliteral(char** ptr)
+{
+ char* start = *ptr;
+ char* p = start;
+
+ while(*p && !isspace(*p))
+ ++p;
+
+ if(*p)
+ {
+ *p = '\0';
+ ++p;
+ }
+
+ *ptr = p;
+ return start;
+}
+
+static char*
+getstring(char** ptr)
+{
+ char* start = *ptr+1; // skip leading "
+ char* p = start;
+ char* o = start;
+ int backslash = 0;
+ int done = 0;
+
+ while(*p && !done)
+ {
+ if(backslash)
+ {
+ backslash = 0;
+ // no escapes supported, just eat the backslash
+ *o++ = *p++;
+ }
+ else if(*p == '\\')
+ {
+ backslash = 1;
+ p++;
+ }
+ else if(*p == '"')
+ {
+ done = 1;
+ }
+ else
+ {
+ *o++ = *p++;
+ }
+ }
+
+ if(done)
+ {
+ *o = '\0';
+ *p = '\0';
+ ++p;
+ *ptr = p;
+ }
+ else
+ {
+ errstr = "missing \" at end of string";
+ start = NULL;
+ }
+ return start;
+}
+
+static char*
+getword(char** ptr)
+{
+ *ptr = skipspace(*ptr);
+ if(**ptr == '"')
+ return getstring(ptr);
+ return getliteral(ptr);
+}
+
+// destructive
+static int
+tokenize(int* argc, char* argv[], size_t nargvsize, char* line)
+{
+ char* ptr = skipspace(line);
+ int ret = 0;
+ char* word;
+
+ while(ptr && *ptr)
+ {
+ if(*ptr == '#')
+ break;
+ if(*argc >= nargvsize)
+ {
+ errstr = "too many arguments";
+ ret = -1;
+ break;
+ }
+ word = getword(&ptr);
+ if(!word)
+ {
+ ret = -1;
+ break;
+ }
+ argv[(*argc)++] = word;
+ ++ret;
+ }
+ return ret;
+}
+
+static void
+dumpargv(int argc, char* argv[])
+{
+ int i;
+ for(i=0; i < argc; ++i)
+ {
+ printf("%s\"%s\"",i?" ":"", argv[i]);
+ }
+ puts("");
+}
+
+static int
+do_iptables(unsigned lineno, int argc, char* argv[])
+{
+ char *table = "filter";
+ int ret = 0;
+
+#ifdef IP6T_LIB_DIR
+ if(!strcmp(argv[0], "ip6tables"))
+ {
+ ip6tc_handle_t handle = NULL;
+ ret = do_command6(argc, argv, &table, &handle);
+ if (ret)
+ ret = ip6tc_commit(&handle);
+
+ if (!ret)
+ fprintf(stderr, "line %d: %s\n", lineno, ip6tc_strerror(errno));
+ }
+#else
+ if(!strcmp(argv[0], "iptables"))
+ {
+ iptc_handle_t handle = NULL;
+
+ ret = do_command(argc, argv, &table, &handle);
+ if (ret)
+ ret = iptc_commit(&handle);
+
+ if (!ret)
+ fprintf(stderr, "line %d: %s\n", lineno, iptc_strerror(errno));
+ }
+#endif
+ else
+ {
+ fprintf(stderr, "line %d: invalid command '%s'\n", lineno, argv[0]);
+ }
+
+ return ret;
+}
+
+int
+main(int argc, char *argv[])
+{
+ int ret = 1;
+ size_t llen = 0;
+ char* line = NULL;
+ ssize_t r = -1;
+ int nargc = 0;
+ char* nargv[256];
+ unsigned lineno = 0;
+ FILE* fp = stdin;
+
+#ifdef IP6T_LIB_DIR
+ program_name = "ip6tables-batch";
+#else
+ program_name = "iptables-batch";
+#endif
+ program_version = IPTABLES_VERSION;
+
+#ifdef NO_SHARED_LIBS
+ init_extensions();
+#endif
+ if(argc > 1)
+ {
+ fp = fopen(argv[1], "r");
+ if(!fp)
+ {
+ perror("fopen");
+ exit(1);
+ }
+ }
+
+ while((r = getline(&line, &llen, fp)) != -1)
+ {
+ if(llen < 1)
+ continue;
+ if(line[strlen(line)-1] == '\n')
+ line[strlen(line) -1 ] = '\0';
+
+ ++lineno;
+ nargc = 0;
+ errstr = NULL;
+ ret = tokenize(&nargc, nargv, (sizeof(nargv)/sizeof(nargv[0])), line);
+ if(ret == -1)
+ {
+ }
+ else if (ret == 0)
+ {
+ continue;
+ }
+ else if(nargc < 2)
+ {
+ errstr = "not enough arguments";
+ }
+
+ if(errstr)
+ {
+ fprintf(stderr, "parse error in line %d: %s\n", lineno, errstr);
+ ret = 0;
+ break;
+ }
+
+ ret = do_iptables(lineno, nargc, nargv);
+ if(!ret) break;
+ //dumpargv(nargc, nargv);
+
+ }
+
+ exit(!ret);
+}
Index: iptables-1.2.9/Makefile
===================================================================
--- iptables-1.2.9.orig/Makefile
+++ iptables-1.2.9/Makefile
@@ -102,6 +102,12 @@
iptables: iptables-standalone.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
$(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
+iptables-batch: iptables-batch.c iptables.o $(STATIC_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+ip6tables-batch: iptables-batch.c ip6tables.o $(STATIC6_LIBS) libiptc/libiptc.a
+ $(CC) $(CFLAGS) -DIP6T_LIB_DIR=\"$(IPT_LIBDIR)\" $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
$(DESTDIR)$(BINDIR)/iptables: iptables
@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
cp $< $@
--
(o_ Ludwig Nussel
//\ SUSE LINUX AG, Development
V_/_ http://www.suse.de/
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-09-06 16:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-06 16:24 [PATCH] iptables-batch Ludwig Nussel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.