All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jethro Beekman <kernel@jbeekman.nl>
To: netfilter-devel@vger.kernel.org
Subject: [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled
Date: Sat, 28 Jun 2014 00:34:21 -0700	[thread overview]
Message-ID: <53AE6FFD.5080109@jbeekman.nl> (raw)

[-- Attachment #1: Type: text/plain, Size: 264 bytes --]

Most Linux distributions have IP forwarding disabled and it gets me every time.
The FORWARD chain is pretty much useless with forwarding disabled, so make
ip{,6}tables -L print a message notifying the user instead of actually listing
the contents.

Jethro Beekman

[-- Attachment #2: ip6tables.c.patch --]
[-- Type: text/x-patch, Size: 1925 bytes --]

--- a/iptables/ip6tables.c	2014-06-28 00:20:35.845014216 -0700
+++ b/iptables/ip6tables.c	2014-06-28 00:21:46.729015280 -0700
@@ -42,6 +42,7 @@
 #include <fcntl.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <glob.h>
 #include "ip6tables-multi.h"
 #include "xshared.h"
 
@@ -888,6 +889,40 @@
 	return ip6tc_delete_chain(chain, handle);
 }
 
+static int is_forwarding_enabled(void)
+{
+	glob_t globbuf;
+	int opened_any=0,forwarding_enabled=0;
+
+	if (glob("/proc/sys/net/ipv6/conf/*/forwarding",GLOB_NOSORT,NULL,&globbuf)==0)
+	{
+		size_t n;
+		for (n=0;n<globbuf.gl_pathc;n++)
+		{
+			if (strncmp(globbuf.gl_pathv[n],"/proc/sys/net/ipv6/conf/",24)==0 && (strncmp(globbuf.gl_pathv[n]+24,"all/",4)==0 || strncmp(globbuf.gl_pathv[n]+24,"default/",8)==0))
+				continue;
+			FILE* fp=fopen(globbuf.gl_pathv[n],"r");
+			if (fp)
+			{
+				int c=fgetc(fp);
+				if (c!=EOF)
+				{
+					opened_any=1;
+					forwarding_enabled|=c-'0';
+				}
+				fclose(fp);
+			}
+		}
+		
+		globfree(&globbuf);
+	}
+	
+	if (opened_any==0)
+		forwarding_enabled=1;
+	
+	return forwarding_enabled;
+}
+
 static int
 list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	     int expanded, int linenumbers, struct xtc_handle *handle)
@@ -916,6 +951,7 @@
 	     this = ip6tc_next_chain(handle)) {
 		const struct ip6t_entry *i;
 		unsigned int num;
+		int hide_forward = 0;
 
 		if (chain && strcmp(chain, this) != 0)
 			continue;
@@ -923,7 +959,18 @@
 		if (found) printf("\n");
 
 		if (!rulenum)
-		    print_header(format, this, handle);
+		{
+			if (!is_forwarding_enabled() && 0==strcmp("FORWARD", this))
+				hide_forward = 1;
+			if (hide_forward)
+			{
+				printf("WARNING: Hiding chain FORWARD because no interfaces have IP forwarding enabled.\n");
+				found=1;
+				continue;
+			}
+			else
+				print_header(format, this, handle);
+		}
 		i = ip6tc_first_rule(this, handle);
 
 		num = 0;

[-- Attachment #3: iptables.c.patch --]
[-- Type: text/x-patch, Size: 1896 bytes --]

--- a/iptables/iptables.c	2013-03-03 13:40:11.000000000 -0800
+++ b/iptables/iptables.c	2014-06-27 17:20:47.109648316 -0700
@@ -39,6 +39,7 @@
 #include <iptables.h>
 #include <xtables.h>
 #include <fcntl.h>
+#include <glob.h>
 #include "xshared.h"
 
 #ifndef TRUE
@@ -871,6 +874,40 @@
 	return iptc_delete_chain(chain, handle);
 }
 
+static int is_forwarding_enabled(void)
+{
+	glob_t globbuf;
+	int opened_any=0,forwarding_enabled=0;
+
+	if (glob("/proc/sys/net/ipv4/conf/*/forwarding",GLOB_NOSORT,NULL,&globbuf)==0)
+	{
+		size_t n;
+		for (n=0;n<globbuf.gl_pathc;n++)
+		{
+			if (strncmp(globbuf.gl_pathv[n],"/proc/sys/net/ipv4/conf/",24)==0 && (strncmp(globbuf.gl_pathv[n]+24,"all/",4)==0 || strncmp(globbuf.gl_pathv[n]+24,"default/",8)==0))
+				continue;
+			FILE* fp=fopen(globbuf.gl_pathv[n],"r");
+			if (fp)
+			{
+				int c=fgetc(fp);
+				if (c!=EOF)
+				{
+					opened_any=1;
+					forwarding_enabled|=c-'0';
+				}
+				fclose(fp);
+			}
+		}
+		
+		globfree(&globbuf);
+	}
+	
+	if (opened_any==0)
+		forwarding_enabled=1;
+	
+	return forwarding_enabled;
+}
+
 static int
 list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
 	     int expanded, int linenumbers, struct xtc_handle *handle)
@@ -899,6 +936,7 @@
 	     this = iptc_next_chain(handle)) {
 		const struct ipt_entry *i;
 		unsigned int num;
+		int hide_forward = 0;
 
 		if (chain && strcmp(chain, this) != 0)
 			continue;
@@ -906,7 +944,18 @@
 		if (found) printf("\n");
 
 		if (!rulenum)
-			print_header(format, this, handle);
+		{
+			if (!is_forwarding_enabled() && 0==strcmp("FORWARD", this))
+				hide_forward = 1;
+			if (hide_forward)
+			{
+				printf("WARNING: Hiding chain FORWARD because no interfaces have IP forwarding enabled.\n");
+				found=1;
+				continue;
+			}
+			else
+				print_header(format, this, handle);
+		}
 		i = iptc_first_rule(this, handle);
 
 		num = 0;

             reply	other threads:[~2014-06-28  7:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-28  7:34 Jethro Beekman [this message]
2014-06-28  9:28 ` [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled Pascal Hambourg
2014-07-20  8:58 ` Pascal Hambourg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53AE6FFD.5080109@jbeekman.nl \
    --to=kernel@jbeekman.nl \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.