All of lore.kernel.org
 help / color / mirror / Atom feed
From: Rick Jones <rick.jones2@hp.com>
To: netfilter@vger.kernel.org
Subject: Shortcuts to counting rules?
Date: Wed, 29 Oct 2008 17:20:57 -0700	[thread overview]
Message-ID: <4908FDE9.7040006@hp.com> (raw)

I would like to teach netperf (www.netperf.org) to determine if a 
firewall is enabled and if so how many rules there are.  To that end 
after some searching/stumbling around I have gotten to the prototype 
code at the end of this message.

The downside is that it requires the person compiling netperf to have 
"iptables-dev" (or its equivalent) installed.  I have noticed that at 
the end of the day (so to speak) it comes down to a pair of getsockopt() 
calls against a socket for each tablename.

open("/proc/net/ip_tables_names", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x20000000002c8000
read(3, "nat\nmangle\nfilter\n", 1024)  = 18
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"nat\0\0\0\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [1008]) = 0
close(4)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"mangle\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"mangle\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [1776]) = 0
close(4)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"filter\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [7680]) = 0
close(4)                                = 0

[drift - is it worth teaching strace about those getsockopts?]

Are there any reasonable ways I might relax that requirement that 
iptables-dev be present?  Are some of the datastructures used in the 
getsockopt() calls "stable enough" to do that that netperf could make 
the getsockopt() calls directly without having to pull-in libiptc? 
Netperf does not particularly care about the rules themselves, just 
their number.

thanks,

rick jones

#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <time.h>
#include "libiptc/libiptc.h"
#include "iptables.h"

#define NETFW_UNKNONW -1
#define NETFW_IPTABLES 1

static int
count_rules(iptc_handle_t *messiah) {

         const char *chain;
         const struct ipt_entry *rule;
         int count = 0;

         chain = iptc_first_chain(messiah);
         while (chain) {
                 rule = iptc_first_rule(chain,messiah);
                 while (rule) {
                         count++;
                         rule = iptc_next_rule(rule,messiah);
                 }
                 chain = iptc_next_chain(messiah);
         }
         return count;
}

void
get_firewall_info(int *firewalltype, int *rulecount) {

         FILE *namesfile = NULL;
         char tablename[IPT_TABLE_MAXNAMELEN + 1];
         iptc_handle_t messiah;  /* handles, always handles */

         int mycount = 0;
         *firewalltype = NETFW_IPTABLES;
         *rulecount = -1;


         namesfile = fopen("/proc/net/ip_tables_names","r");
         if (!namesfile)
                 return;

         while (fgets(tablename,
                      sizeof(tablename),
                      namesfile)) {
                 /* no end of line is bad */
                 if (tablename[strlen(tablename) - 1] != '\n') {
                         /* we want to signal the problem somehow */
                         /* so set the rulecount to -1 always here */
                         *rulecount = -1;
                         return;
                 }
                 /* but we dont want to have one in our calls */
                 tablename[strlen(tablename) - 1] = '\0';
                 messiah = iptc_init(tablename);
                 mycount += count_rules(&messiah);
                 iptc_free(&messiah);
         }
         *rulecount = mycount;
}

int
main(int argc, char *argv[]) {

         int firewalltype,rulecount;


         get_firewall_info(&firewalltype,&rulecount);
         printf("firewalltype is %d, rulecount 
%d\n",firewalltype,rulecount);

         return 0;
}

             reply	other threads:[~2008-10-30  0:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-30  0:20 Rick Jones [this message]
2008-10-30  1:13 ` Shortcuts to counting rules? Philip Craig
2008-10-30 16:40   ` Rick Jones
2008-10-30 18:46     ` Rick Jones
2008-10-31  1:26       ` Rick Jones
2008-10-31  1:39         ` Philip Craig
2008-10-31  1:29     ` Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4908FDE9.7040006@hp.com \
    --to=rick.jones2@hp.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.