Automatically load modules in iptables-save

Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 2741 bytes --]

If the iptables modules are not loaded when iptables-save is run,
iptables-save will fail, because it can't open the relevant files in
/proc.  This patch makes iptables-save attempt to load the modules, and
then retries.


Index: iptables-1.4.1.1/iptables-save.c
===================================================================
--- iptables-1.4.1.1.orig/iptables-save.c	2009-03-16 11:19:25.233429856 +0100
+++ iptables-1.4.1.1/iptables-save.c	2009-03-16 12:42:10.200735326 +0100
@@ -28,17 +28,22 @@
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
 /* Debugging prototype. */
-static int for_each_table(int (*func)(const char *tablename))
+static int for_each_table(int (*func)(const char *tablename), const char *modprobe)
 {
 	int ret = 1;
 	FILE *procfile = NULL;
 	char tablename[IPT_TABLE_MAXNAMELEN+1];
 
 	procfile = fopen("/proc/net/ip_tables_names", "r");
+	if (!procfile) {
+		load_xtables_ko(modprobe, 0);
+		procfile = fopen("/proc/net/ip_tables_names", "r");
+	}
 	if (!procfile)
 		exit_error(OTHER_PROBLEM,
 			   "Unable to open /proc/net/ip_tables_names: %s\n",
@@ -57,15 +62,20 @@
 }
 
 
-static int do_output(const char *tablename)
+static int do_output(const char *tablename, const char *modprobe)
 {
 	iptc_handle_t h;
 	const char *chain = NULL;
 
 	if (!tablename)
-		return for_each_table(&do_output);
+		return for_each_table(&do_output, modprobe);
 
 	h = iptc_init(tablename);
+	if (!h) {
+		load_xtables_ko(modprobe, 0);
+		h = iptc_init(tablename);
+	}
+
 	if (!h)
 		exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
 			   iptc_strerror(errno));
@@ -134,6 +144,7 @@
 #endif
 {
 	const char *tablename = NULL;
+	const char *modprobe = NULL;
 	int c;
 
 	program_name = "iptables-save";
@@ -152,7 +163,7 @@
 	init_extensions();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			show_binary = 1;
@@ -166,8 +177,11 @@
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			modprobe = optarg;
+			break;
 		case 'd':
-			do_output(tablename);
+			do_output(tablename, modprobe);
 			exit(0);
 		}
 	}
@@ -177,5 +191,5 @@
 		exit(1);
 	}
 
-	return !do_output(tablename);
+	return !do_output(tablename, modprobe);
 }


-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 2823 bytes --]

Resubmitting as per
http://marc.info/?l=netfilter-devel&m=123722008913373&w=2

If the iptables modules are not loaded when iptables-save is run,
iptables-save will fail, because it can't open the relevant files in
/proc.  This patch makes iptables-save attempt to load the modules, and
then retries.


Index: iptables-1.4.1.1/iptables-save.c
===================================================================
--- iptables-1.4.1.1.orig/iptables-save.c	2009-03-16 11:19:25.233429856 +0100
+++ iptables-1.4.1.1/iptables-save.c	2009-03-16 12:42:10.200735326 +0100
@@ -28,17 +28,22 @@
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
 /* Debugging prototype. */
-static int for_each_table(int (*func)(const char *tablename))
+static int for_each_table(int (*func)(const char *tablename), const char *modprobe)
 {
 	int ret = 1;
 	FILE *procfile = NULL;
 	char tablename[IPT_TABLE_MAXNAMELEN+1];
 
 	procfile = fopen("/proc/net/ip_tables_names", "r");
+	if (!procfile) {
+		load_xtables_ko(modprobe, 0);
+		procfile = fopen("/proc/net/ip_tables_names", "r");
+	}
 	if (!procfile)
 		exit_error(OTHER_PROBLEM,
 			   "Unable to open /proc/net/ip_tables_names: %s\n",
@@ -57,15 +62,20 @@
 }
 
 
-static int do_output(const char *tablename)
+static int do_output(const char *tablename, const char *modprobe)
 {
 	iptc_handle_t h;
 	const char *chain = NULL;
 
 	if (!tablename)
-		return for_each_table(&do_output);
+		return for_each_table(&do_output, modprobe);
 
 	h = iptc_init(tablename);
+	if (!h) {
+		load_xtables_ko(modprobe, 0);
+		h = iptc_init(tablename);
+	}
+
 	if (!h)
 		exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
 			   iptc_strerror(errno));
@@ -134,6 +144,7 @@
 #endif
 {
 	const char *tablename = NULL;
+	const char *modprobe = NULL;
 	int c;
 
 	program_name = "iptables-save";
@@ -152,7 +163,7 @@
 	init_extensions();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
 		switch (c) {
 		case 'b':
 			show_binary = 1;
@@ -166,8 +177,11 @@
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			modprobe = optarg;
+			break;
 		case 'd':
-			do_output(tablename);
+			do_output(tablename, modprobe);
 			exit(0);
 		}
 	}
@@ -177,5 +191,5 @@
 		exit(1);
 	}
 
-	return !do_output(tablename);
+	return !do_output(tablename, modprobe);
 }


-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 568 bytes --]

On Mon, Mar 16, 2009 at 06:10:14PM +0100, Soren Hansen wrote:
> Resubmitting as per
> http://marc.info/?l=netfilter-devel&m=123722008913373&w=2
> 
> If the iptables modules are not loaded when iptables-save is run,
> iptables-save will fail, because it can't open the relevant files in
> /proc.  This patch makes iptables-save attempt to load the modules, and
> then retries.

Is this the correct list for this?

-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Patrick McHardy]

Soren Hansen wrote:
> On Mon, Mar 16, 2009 at 06:10:14PM +0100, Soren Hansen wrote:
>> Resubmitting as per
>> http://marc.info/?l=netfilter-devel&m=123722008913373&w=2
>>
>> If the iptables modules are not loaded when iptables-save is run,
>> iptables-save will fail, because it can't open the relevant files in
>> /proc.  This patch makes iptables-save attempt to load the modules, and
>> then retries.
> 
> Is this the correct list for this?

It is. The patch seems rather pointless though, if the module isn't
loaded, there's obviously nothing to save.

> If the iptables modules are not loaded when iptables-save is run,
> iptables-save will fail

What does "fail" mean in this context?

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

On Thu, Mar 19, 2009 at 02:05:54PM +0100, Patrick McHardy wrote:
>>> If the iptables modules are not loaded when iptables-save is run,
>>> iptables-save will fail, because it can't open the relevant files in
>>> /proc.  This patch makes iptables-save attempt to load the modules,
>>> and then retries.
>> Is this the correct list for this?
> It is. The patch seems rather pointless though, if the module isn't
> loaded, there's obviously nothing to save.

Right. I thought about just silently bailing out, but decided to go this
route instead. Explanation follows.

>> If the iptables modules are not loaded when iptables-save is run,
>> iptables-save will fail
> What does "fail" mean in this context?

$ sudo iptables-save
iptables-save v1.4.1.1: Unable to open /proc/net/ip_tables_names: No such file or directory
$ echo $?
1

I decided to try to load the modules instead of just silently returning,
so that if iptables-save succeeds, you can reasonably expect
iptables-restore to work as well. I would be quite surprised if I found
that the firewall rules I just saved (perhaps not realising that there
weren't any) coulnd't be loaded again, which is what you'd get if your
system had no iptables support at all.

-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Jan Engelhardt]

On Thursday 2009-03-19 14:50, Soren Hansen wrote:
>On Thu, Mar 19, 2009 at 02:05:54PM +0100, Patrick McHardy wrote:
>>>> If the iptables modules are not loaded when iptables-save is run,
>>>> iptables-save will fail, because it can't open the relevant files in
>>>> /proc.  This patch makes iptables-save attempt to load the modules,
>>>> and then retries.
>
>Right. I thought about just silently bailing out, but decided to go this
>route instead. Explanation follows.
>
>$ sudo iptables-save
>iptables-save v1.4.1.1: Unable to open /proc/net/ip_tables_names: No such file or directory
>$ echo $?
>1
>
>I decided to try to load the modules instead of just silently returning,

IMHO, it should not fail, not even silently, but return success.
If x_tables.ko is not loaded, there cannot be any tables active
anyway, and thus would be equal to a loaded x_tables.ko with
no table modules (iptable_filter, etc.) loaded.

>so that if iptables-save succeeds, you can reasonably expect
>iptables-restore to work as well.

`echo '' | iptables-restore` does work. One more reason to
make iptables-save not outputting anything returning 0.

Re: Automatically load modules in iptables-save

[Patrick McHardy]

Jan Engelhardt wrote:
> On Thursday 2009-03-19 14:50, Soren Hansen wrote:
>   
>> On Thu, Mar 19, 2009 at 02:05:54PM +0100, Patrick McHardy wrote:
>>     
>>>>> If the iptables modules are not loaded when iptables-save is run,
>>>>> iptables-save will fail, because it can't open the relevant files in
>>>>> /proc.  This patch makes iptables-save attempt to load the modules,
>>>>> and then retries.
>>>>>           
>> Right. I thought about just silently bailing out, but decided to go this
>> route instead. Explanation follows.
>>
>> $ sudo iptables-save
>> iptables-save v1.4.1.1: Unable to open /proc/net/ip_tables_names: No such file or directory
>> $ echo $?
>> 1
>>
>> I decided to try to load the modules instead of just silently returning,
>>     
>
> IMHO, it should not fail, not even silently, but return success.
> If x_tables.ko is not loaded, there cannot be any tables active
> anyway, and thus would be equal to a loaded x_tables.ko with
> no table modules (iptable_filter, etc.) loaded.
>   

That's my opinion as well. I've never understood why so many things are
silently
activated by "list" or "dump" commands.

>> so that if iptables-save succeeds, you can reasonably expect
>> iptables-restore to work as well.
>>     
>
> `echo '' | iptables-restore` does work. One more reason to
> make iptables-save not outputting anything returning 0.
>   

Agreed.

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]

On Thu, Mar 19, 2009 at 02:55:54PM +0100, Jan Engelhardt wrote:
>>I decided to try to load the modules instead of just silently returning,
> IMHO, it should not fail, not even silently, but return success.
[..]
> If x_tables.ko is not loaded, there cannot be any tables active
> anyway, and thus would be equal to a loaded x_tables.ko with
> no table modules (iptable_filter, etc.) loaded.
> 
> >so that if iptables-save succeeds, you can reasonably expect
> >iptables-restore to work as well.
> 
> `echo '' | iptables-restore` does work.

Hrm. You appear to be right. I somehow thought that iptables-restore
would unconditionally try to load x_tables.ko.

> One more reason to make iptables-save not outputting anything
> returning 0.

That makes sense.

How about the case where someone calls "iptables-save -t foo"? Should
that just return an empty string and exit(0), should it attempt module
load to see if that's even a valid table or something entirely
different?

-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Jan Engelhardt]

On Thursday 2009-03-19 15:29, Soren Hansen wrote:
>
>How about the case where someone calls "iptables-save -t foo"? Should
>that just return an empty string and exit(0), should it attempt module
>load to see if that's even a valid table or something entirely
>different?

It should load x_tables.ko and the table... I have a suspicion
some unknown users might expect to see "*foo" when using -t.

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 3170 bytes --]

On Thu, Mar 19, 2009 at 03:31:25PM +0100, Jan Engelhardt wrote:
>>How about the case where someone calls "iptables-save -t foo"? Should
>>that just return an empty string and exit(0), should it attempt module
>>load to see if that's even a valid table or something entirely
>>different?
> 
> It should load x_tables.ko and the table... I have a suspicion
> some unknown users might expect to see "*foo" when using -t.

Alright. This patch should make everyone happy, then..


Index: iptables-1.4.1.1/iptables-save.c
===================================================================
--- iptables-1.4.1.1.orig/iptables-save.c	2009-03-19 16:03:12.800343689 +0100
+++ iptables-1.4.1.1/iptables-save.c	2009-03-19 16:07:45.095342140 +0100
@@ -28,17 +28,21 @@
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
 /* Debugging prototype. */
-static int for_each_table(int (*func)(const char *tablename))
+static int for_each_table(int (*func)(const char *tablename, const char *modprobe), const char *modprobe)
 {
 	int ret = 1;
 	FILE *procfile = NULL;
 	char tablename[IPT_TABLE_MAXNAMELEN+1];
 
 	procfile = fopen("/proc/net/ip_tables_names", "r");
+	if (!procfile) {
+		exit(0);
+	}
 	if (!procfile)
 		exit_error(OTHER_PROBLEM,
 			   "Unable to open /proc/net/ip_tables_names: %s\n",
@@ -50,22 +54,27 @@
 				   "Badly formed tablename `%s'\n",
 				   tablename);
 		tablename[strlen(tablename) - 1] = '\0';
-		ret &= func(tablename);
+		ret &= func(tablename, modprobe);
 	}
 
 	return ret;
 }
 
 
-static int do_output(const char *tablename)
+static int do_output(const char *tablename, const char *modprobe)
 {
 	iptc_handle_t h;
 	const char *chain = NULL;
 
 	if (!tablename)
-		return for_each_table(&do_output);
+		return for_each_table(&do_output, modprobe);
 
 	h = iptc_init(tablename);
+	if (!h) {
+		load_xtables_ko(modprobe, 0);
+		h = iptc_init(tablename);
+	}
+
 	if (!h)
 		exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
 			   iptc_strerror(errno));
@@ -134,6 +143,7 @@
 #endif
 {
 	const char *tablename = NULL;
+	const char *modprobe = NULL;
 	int c;
 
 	program_name = "iptables-save";
@@ -152,8 +162,8 @@
 	init_extensions();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
-		switch (c) {
+	while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
+	switch (c) {
 		case 'b':
 			show_binary = 1;
 			break;
@@ -166,8 +176,11 @@
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			modprobe = optarg;
+			break;
 		case 'd':
-			do_output(tablename);
+			do_output(tablename, modprobe);
 			exit(0);
 		}
 	}
@@ -177,5 +190,5 @@
 		exit(1);
 	}
 
-	return !do_output(tablename);
+	return !do_output(tablename, modprobe);
 }


-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Jan Engelhardt]

On Thursday 2009-03-19 16:43, Soren Hansen wrote:
>On Thu, Mar 19, 2009 at 03:31:25PM +0100, Jan Engelhardt wrote:
>>>How about the case where someone calls "iptables-save -t foo"? Should
>>>that just return an empty string and exit(0), should it attempt module
>>>load to see if that's even a valid table or something entirely
>>>different?
>> 
>> It should load x_tables.ko and the table... I have a suspicion
>> some unknown users might expect to see "*foo" when using -t.
>
>Alright. This patch should make everyone happy, then..
>
>Index: iptables-1.4.1.1/iptables-save.c

The one who has to merge it - not.
Here is a reworked version that also adds the missing IPv6
and manpage bits, pullable from the usual place at

 git://dev.medozas.de/iptables master

---8<---
iptables-save: module loading corrections

1. Ignore the absence of /proc/net/ip_tables_names, which happens
when x_tables.ko is not loaded. This is equivalent to having
x_tables.ko, but no tabe modules, loaded. As such, success should
be returned.

2. Load table when explicitly requested by the -t option. Users might
expect "*foo" etc. to be output when `iptables-save -t foo` is
executed. So do autoload x_tables.ko and the table in this case.

*. Do this for both iptables-save and ip6tables-save, and adjust
the manpages for the new -M (modprobe program location) option that
is introduced.

Based upon a patch by Soren Hansen.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 ip6tables-save.8 |    6 +++++-
 ip6tables-save.c |   12 +++++++++---
 iptables-save.8  |    6 +++++-
 iptables-save.c  |   12 +++++++++---
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/ip6tables-save.8 b/ip6tables-save.8
index c8b3e96..47eb44a 100644
--- a/ip6tables-save.8
+++ b/ip6tables-save.8
@@ -21,7 +21,7 @@
 .SH NAME
 ip6tables-save \- Save IPv6 Tables
 .SH SYNOPSIS
-.BR "ip6tables-save " "[-c] [-t table]"
+.BR "ip6tables-save " "[-M modprobe] [-c] [-t table]"
 .br
 .SH DESCRIPTION
 .PP
@@ -29,6 +29,10 @@ ip6tables-save \- Save IPv6 Tables
 is used to dump the contents of an IPv6 Table in easily parseable format
 to STDOUT. Use I/O-redirection provided by your shell to write to a file.
 .TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
 \fB\-c\fR, \fB\-\-counters\fR
 include the current values of all packet and byte counters in the output
 .TP
diff --git a/ip6tables-save.c b/ip6tables-save.c
index 55010c4..97205c1 100644
--- a/ip6tables-save.c
+++ b/ip6tables-save.c
@@ -29,6 +29,7 @@ static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
@@ -42,9 +43,7 @@ static int for_each_table(int (*func)(const char *tablename))
 
 	procfile = fopen("/proc/net/ip6_tables_names", "r");
 	if (!procfile)
-		xtables_error(OTHER_PROBLEM,
-			   "Unable to open /proc/net/ip6_tables_names: %s\n",
-			   strerror(errno));
+		return ret;
 
 	while (fgets(tablename, sizeof(tablename), procfile)) {
 		if (tablename[strlen(tablename) - 1] != '\n')
@@ -68,6 +67,10 @@ static int do_output(const char *tablename)
 		return for_each_table(&do_output);
 
 	h = ip6tc_init(tablename);
+	if (h == NULL) {
+		xtables_load_ko(xtables_modprobe_program, false);
+		h = ip6tc_init(tablename);
+	}
 	if (!h)
 		xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
 			   ip6tc_strerror(errno));
@@ -162,6 +165,9 @@ int main(int argc, char *argv[])
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			xtables_modprobe_program = optarg;
+			break;
 		case 'd':
 			do_output(tablename);
 			exit(0);
diff --git a/iptables-save.8 b/iptables-save.8
index f9c7d65..de5fd48 100644
--- a/iptables-save.8
+++ b/iptables-save.8
@@ -21,7 +21,7 @@
 .SH NAME
 iptables-save \- Save IP Tables
 .SH SYNOPSIS
-.BR "iptables-save " "[-c] [-t table]"
+.BR "iptables-save " "[-M modprobe] [-c] [-t table]"
 .br
 .SH DESCRIPTION
 .PP
@@ -29,6 +29,10 @@ iptables-save \- Save IP Tables
 is used to dump the contents of an IP Table in easily parseable format
 to STDOUT. Use I/O-redirection provided by your shell to write to a file.
 .TP
+\fB\-M\fP \fImodprobe_program\fP
+Specify the path to the modprobe program. By default, iptables-save will
+inspect /proc/sys/kernel/modprobe to determine the executable's path.
+.TP
 \fB\-c\fR, \fB\-\-counters\fR
 include the current values of all packet and byte counters in the output
 .TP
diff --git a/iptables-save.c b/iptables-save.c
index 55cfe6a..6000b49 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -28,6 +28,7 @@ static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
@@ -40,9 +41,7 @@ static int for_each_table(int (*func)(const char *tablename))
 
 	procfile = fopen("/proc/net/ip_tables_names", "r");
 	if (!procfile)
-		xtables_error(OTHER_PROBLEM,
-			   "Unable to open /proc/net/ip_tables_names: %s\n",
-			   strerror(errno));
+		return ret;
 
 	while (fgets(tablename, sizeof(tablename), procfile)) {
 		if (tablename[strlen(tablename) - 1] != '\n')
@@ -66,6 +65,10 @@ static int do_output(const char *tablename)
 		return for_each_table(&do_output);
 
 	h = iptc_init(tablename);
+	if (h == NULL) {
+		xtables_load_ko(xtables_modprobe_program, false);
+		h = iptc_init(tablename);
+	}
 	if (!h)
 		xtables_error(OTHER_PROBLEM, "Cannot initialize: %s\n",
 			   iptc_strerror(errno));
@@ -162,6 +165,9 @@ main(int argc, char *argv[])
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			xtables_modprobe_program = optarg;
+			break;
 		case 'd':
 			do_output(tablename);
 			exit(0);
-- 
# Created with git-export-patch

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 3368 bytes --]

On Thu, Mar 19, 2009 at 04:43:01PM +0100, Soren Hansen wrote:
> On Thu, Mar 19, 2009 at 03:31:25PM +0100, Jan Engelhardt wrote:
> >>How about the case where someone calls "iptables-save -t foo"? Should
> >>that just return an empty string and exit(0), should it attempt module
> >>load to see if that's even a valid table or something entirely
> >>different?
> > 
> > It should load x_tables.ko and the table... I have a suspicion
> > some unknown users might expect to see "*foo" when using -t.
> 
> Alright. This patch should make everyone happy, then..

Sorry, this is better:


Index: iptables-1.4.1.1/iptables-save.c
===================================================================
--- iptables-1.4.1.1.orig/iptables-save.c	2009-03-19 16:08:12.571341329 +0100
+++ iptables-1.4.1.1/iptables-save.c	2009-03-19 17:29:54.623322505 +0100
@@ -28,11 +28,12 @@
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
 
 /* Debugging prototype. */
-static int for_each_table(int (*func)(const char *tablename))
+static int for_each_table(int (*func)(const char *tablename, const char *modprobe), const char *modprobe)
 {
 	int ret = 1;
 	FILE *procfile = NULL;
@@ -40,9 +41,7 @@
 
 	procfile = fopen("/proc/net/ip_tables_names", "r");
 	if (!procfile)
-		exit_error(OTHER_PROBLEM,
-			   "Unable to open /proc/net/ip_tables_names: %s\n",
-			   strerror(errno));
+		exit(0);
 
 	while (fgets(tablename, sizeof(tablename), procfile)) {
 		if (tablename[strlen(tablename) - 1] != '\n')
@@ -50,22 +49,27 @@
 				   "Badly formed tablename `%s'\n",
 				   tablename);
 		tablename[strlen(tablename) - 1] = '\0';
-		ret &= func(tablename);
+		ret &= func(tablename, modprobe);
 	}
 
 	return ret;
 }
 
 
-static int do_output(const char *tablename)
+static int do_output(const char *tablename, const char *modprobe)
 {
 	iptc_handle_t h;
 	const char *chain = NULL;
 
 	if (!tablename)
-		return for_each_table(&do_output);
+		return for_each_table(&do_output, modprobe);
 
 	h = iptc_init(tablename);
+	if (!h) {
+		load_xtables_ko(modprobe, 0);
+		h = iptc_init(tablename);
+	}
+
 	if (!h)
 		exit_error(OTHER_PROBLEM, "Can't initialize: %s\n",
 			   iptc_strerror(errno));
@@ -134,6 +138,7 @@
 #endif
 {
 	const char *tablename = NULL;
+	const char *modprobe = NULL;
 	int c;
 
 	program_name = "iptables-save";
@@ -152,8 +157,8 @@
 	init_extensions();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
-		switch (c) {
+	while ((c = getopt_long(argc, argv, "bcdt:M:", options, NULL)) != -1) {
+	switch (c) {
 		case 'b':
 			show_binary = 1;
 			break;
@@ -166,8 +171,11 @@
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'M':
+			modprobe = optarg;
+			break;
 		case 'd':
-			do_output(tablename);
+			do_output(tablename, modprobe);
 			exit(0);
 		}
 	}
@@ -177,5 +185,5 @@
 		exit(1);
 	}
 
-	return !do_output(tablename);
+	return !do_output(tablename, modprobe);
 }


-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Soren Hansen]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

On Thu, Mar 19, 2009 at 05:02:57PM +0100, Jan Engelhardt wrote:
> >Index: iptables-1.4.1.1/iptables-save.c
> 
> The one who has to merge it - not.
> Here is a reworked version that also adds the missing IPv6
> and manpage bits, pullable from the usual place at
> 
>  git://dev.medozas.de/iptables master

Excellent. Thanks for cleaning up my mess :)

-- 
Soren Hansen                 | 
Lead Virtualisation Engineer | Ubuntu Server Team
Canonical Ltd.               | http://www.ubuntu.com/

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 315 bytes --]

Re: Automatically load modules in iptables-save

[Patrick McHardy]

Jan Engelhardt wrote:
> Here is a reworked version that also adds the missing IPv6
> and manpage bits, pullable from the usual place at
> 
>  git://dev.medozas.de/iptables master
> 
> ---8<---
> iptables-save: module loading corrections
> 
> 1. Ignore the absence of /proc/net/ip_tables_names, which happens
> when x_tables.ko is not loaded. This is equivalent to having
> x_tables.ko, but no tabe modules, loaded. As such, success should
> be returned.
> 
> 2. Load table when explicitly requested by the -t option. Users might
> expect "*foo" etc. to be output when `iptables-save -t foo` is
> executed. So do autoload x_tables.ko and the table in this case.
> 
> *. Do this for both iptables-save and ip6tables-save, and adjust
> the manpages for the new -M (modprobe program location) option that
> is introduced.
> 
> Based upon a patch by Soren Hansen.

Looks good, thanks Jan. Pulled and pushed out.