RE: iptables.c changes submitted argv value

All of lore.kernel.org
 help / color / mirror / Atom feed

* RE: iptables.c changes submitted argv value
       [not found] <IDEAKKJENKGNPNLKJKODOEAECAAA.listuser@epygi.de>
@ 2004-08-12 11:11 ` Henrik Nordstrom
  2004-08-13  0:05   ` Philip Craig
  0 siblings, 1 reply; 5+ messages in thread
From: Henrik Nordstrom @ 2004-08-12 11:11 UTC (permalink / raw)
  To: Sascha; +Cc: netfilter-devel

On Thu, 12 Aug 2004, Sascha wrote:

>> The recommended method for doing this is using iptables-restore via a 
>> pipe from your daemon.
>
> That's not the point. I'm developing on an embedded device and i have no 
> space for iptables-store.c, iptables-restore.c and iptables.c.

All you need is iptables-restore. It has all functions of iptables plus 
more and is very well suited for batch or daemon operations. What 
iptables-restore is is a efficient batch interface using the same syntax 
as iptables (well, it is even the same code so..)

libiptc is considered private to iptables/iptables-save/iptables-restore 
and is not meant to be used outside these applications.

Regards
Henrik

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: iptables.c changes submitted argv value
  2004-08-12 11:11 ` iptables.c changes submitted argv value Henrik Nordstrom
@ 2004-08-13  0:05   ` Philip Craig
  2004-08-13  2:01     ` Ben Efros
  0 siblings, 1 reply; 5+ messages in thread
From: Philip Craig @ 2004-08-13  0:05 UTC (permalink / raw)
  To: Sascha; +Cc: Henrik Nordstrom, netfilter-devel

Henrik Nordstrom wrote:
> On Thu, 12 Aug 2004, Sascha wrote:
>>That's not the point. I'm developing on an embedded device and i have no 
>>space for iptables-store.c, iptables-restore.c and iptables.c.
> 
> 
> All you need is iptables-restore. It has all functions of iptables plus 
> more and is very well suited for batch or daemon operations. What 
> iptables-restore is is a efficient batch interface using the same syntax 
> as iptables (well, it is even the same code so..)

You probably want to have iptables still for debugging/diagnostics.
If so, get the latest version of iptables from CVS and enable DO_MULTI.
This combines all three programs into the one binary.

-- 
Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: iptables.c changes submitted argv value
  2004-08-13  0:05   ` Philip Craig
@ 2004-08-13  2:01     ` Ben Efros
  0 siblings, 0 replies; 5+ messages in thread
From: Ben Efros @ 2004-08-13  2:01 UTC (permalink / raw)
  To: Philip Craig; +Cc: Sascha, netfilter-devel


>
> You probably want to have iptables still for debugging/diagnostics.
> If so, get the latest version of iptables from CVS and enable DO_MULTI.
> This combines all three programs into the one binary.
>
Additionally if you need to save space, you can use the strip utility:

iptables    (orig)         64486 bytes
#strip -s iptables
iptables    (stripped)  56612 bytes

Yea! 87.8% of the original size!

(I used gcc 3.4.1 2004-6-11 on iptables-1.2.11 2004-8-12 snapshot)

There are a number of other ways to easily cut the size down much 
smaller and keep the same functionality.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* iptables.c changes submitted argv value
@ 2004-08-11 12:09 Sascha
  2004-08-11 21:23 ` Henrik Nordstrom
  0 siblings, 1 reply; 5+ messages in thread
From: Sascha @ 2004-08-11 12:09 UTC (permalink / raw)
  To: netfilter-devel

Hi,

can anyone tell me why it's necessary to set optarg[0] in case of '!' to
'\0'?

iptables.c line 2010
---
case 1: /* non option */
	if (optarg[0] == '!' && optarg[1] == '\0') {
      	if (invert)
            	exit_error(PARAMETER_PROBLEM,
                  		"multiple consecutive ! not"
                              " allowed");
                  invert = TRUE;
----->            optarg[0] = '\0';
                  continue;
       }
     	 printf("Bad argument `%s'\n", optarg);
       exit_tryhelp(2);
---

I don't search a solution for this, only an explanation.

The Problem is i wanna build a deamon with iptables, which load's a static
ruleset on init. In case of:

---
deamon -A INPUT -m mark ! --mark 0 -j IDS
deamon -A OUTPUT -m mark ! --mark 0 -j IDS
---

... my init crashes with "Bad Argument ''", because do_command in iptables
changes my values ('!' to '\0')
for the ! in the second line (output-rule) ...

Thanks & Regards
Sascha

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: iptables.c changes submitted argv value
  2004-08-11 12:09 Sascha
@ 2004-08-11 21:23 ` Henrik Nordstrom
  0 siblings, 0 replies; 5+ messages in thread
From: Henrik Nordstrom @ 2004-08-11 21:23 UTC (permalink / raw)
  To: Sascha; +Cc: netfilter-devel

On Wed, 11 Aug 2004, Sascha wrote:

> The Problem is i wanna build a deamon with iptables, which load's a static
> ruleset on init.

The recommended method for doing this is using iptables-restore via a pipe 
from your daemon.

Regards
Henrik

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-08-13  2:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <IDEAKKJENKGNPNLKJKODOEAECAAA.listuser@epygi.de>
2004-08-12 11:11 ` iptables.c changes submitted argv value Henrik Nordstrom
2004-08-13  0:05   ` Philip Craig
2004-08-13  2:01     ` Ben Efros
2004-08-11 12:09 Sascha
2004-08-11 21:23 ` Henrik Nordstrom

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.