From: "Maciej Żenczykowski" <zenczykowski@gmail.com>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: netfilter-devel@vger.kernel.org, "Maciej Żenczykowski" <maze@google.com>
Subject: [PATCH 1/3] Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore}.
Date: Tue, 19 Apr 2011 18:44:44 -0700 [thread overview]
Message-ID: <1303263886-5665-1-git-send-email-zenczykowski@gmail.com> (raw)
In-Reply-To: <BANLkTimsGzmOnXR1otTvnKBYAS7m=91+uA@mail.gmail.com>
From: Maciej Żenczykowski <maze@google.com>
This enables one to have a single configuration file for both ipv4 and ipv6
firewall rules.
Example:
iptables-restore config
ip6tables-restore config
Where the file 'config' contains:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ssh - [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -6 -p icmpv6 -j ACCEPT
-A INPUT -p tcp --dport 22 -m state --state NEW -j ssh
-A ssh -j ACCEPT
COMMIT
Signed-off-by: Maciej Zenczykowski <maze@google.com>
---
ip6tables.c | 17 ++++++++++++++++-
iptables.c | 16 +++++++++++++++-
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/ip6tables.c b/ip6tables.c
index f9909f1..967a5f8 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -124,6 +124,8 @@ static struct option original_opts[] = {
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "set-counters", .has_arg = 1, .val = 'c'},
{.name = "goto", .has_arg = 1, .val = 'g'},
+ {.name = "ipv4", .has_arg = 0, .val = '4'},
+ {.name = "ipv6", .has_arg = 0, .val = '6'},
{NULL},
};
@@ -248,6 +250,8 @@ exit_printhelp(const struct xtables_rule_match *matches)
" Change chain name, (moving any references)\n"
"Options:\n"
+" --ipv4 -4 Error (line is ignored by ip6tables-restore)\n"
+" --ipv6 -6 Nothing (line is ignored by iptables-restore)\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
"[!] --source -s address[/mask][,...]\n"
" source specification\n"
@@ -1439,7 +1443,7 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
opts = xt_params->orig_opts;
while ((cs.c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:",
+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:bvnt:m:xc:g:46",
opts, NULL)) != -1) {
switch (cs.c) {
/*
@@ -1756,6 +1760,17 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
cs.fw6.counters.bcnt = cnt;
break;
+ case '4':
+ /* This is not the IPv4 iptables */
+ if (line != -1)
+ return 1; /* success: line ignored */
+ fprintf(stderr, "This is the IPv6 version of ip6tables.\n");
+ exit_tryhelp(2);
+
+ case '6':
+ /* This is indeed the IPv6 ip6tables */
+ break;
+
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
if (cs.invert)
diff --git a/iptables.c b/iptables.c
index 0441dce..cc7525a 100644
--- a/iptables.c
+++ b/iptables.c
@@ -123,6 +123,8 @@ static struct option original_opts[] = {
{.name = "modprobe", .has_arg = 1, .val = 'M'},
{.name = "set-counters", .has_arg = 1, .val = 'c'},
{.name = "goto", .has_arg = 1, .val = 'g'},
+ {.name = "ipv4", .has_arg = 0, .val = '4'},
+ {.name = "ipv6", .has_arg = 0, .val = '6'},
{NULL},
};
@@ -261,6 +263,8 @@ exit_printhelp(const struct xtables_rule_match *matches)
" Change chain name, (moving any references)\n"
"Options:\n"
+" --ipv4 -4 Nothing (line is ignored by ip6tables-restore)\n"
+" --ipv6 -6 Error (line is ignored by iptables-restore)\n"
"[!] --proto -p proto protocol: by number or name, eg. `tcp'\n"
"[!] --source -s address[/mask][...]\n"
" source specification\n"
@@ -1467,7 +1471,7 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
opts = xt_params->orig_opts;
while ((cs.c = getopt_long(argc, argv,
- "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:",
+ "-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvnt:m:xc:g:46",
opts, NULL)) != -1) {
switch (cs.c) {
/*
@@ -1782,6 +1786,16 @@ int do_command4(int argc, char *argv[], char **table, struct iptc_handle **handl
cs.fw.counters.bcnt = cnt;
break;
+ case '4':
+ /* This is indeed the IPv4 iptables */
+ break;
+
+ case '6':
+ /* This is not the IPv6 ip6tables */
+ if (line != -1)
+ return 1; /* success: line ignored */
+ fprintf(stderr, "This is the IPv4 version of iptables.\n");
+ exit_tryhelp(2);
case 1: /* non option */
if (optarg[0] == '!' && optarg[1] == '\0') {
--
1.7.3.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-04-20 1:45 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-19 1:22 Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 1/5] Don't load ip6?_tables module when already loaded Maciej Żenczykowski
2011-04-19 7:03 ` Patrick McHardy
2011-04-19 7:10 ` [PATCH] " Maciej Żenczykowski
2011-04-19 7:14 ` Patrick McHardy
2011-04-19 1:23 ` [PATCH 2/5] Add --ipv4/-4 and --ipv6/-6 support to ip6?tables{,-restore} Maciej Żenczykowski
2011-04-19 7:17 ` Patrick McHardy
2011-04-19 7:32 ` Maciej Żenczykowski
2011-04-19 7:33 ` Patrick McHardy
2011-04-19 1:23 ` [PATCH 3/5] Move common parts of libext{4,6}.a into libext.a Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 4/5] combine ip6?tables-multi into xtables-multi Maciej Żenczykowski
2011-04-19 1:23 ` [PATCH 5/5] add xtables-multi{32,64} recognition Maciej Żenczykowski
2011-04-19 7:18 ` Patrick McHardy
2011-04-19 7:29 ` Maciej Żenczykowski
2011-04-19 7:32 ` Patrick McHardy
2011-04-19 7:55 ` Jan Engelhardt
2011-04-19 8:55 ` Maciej Żenczykowski
2011-04-20 1:44 ` Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Maciej Żenczykowski
2011-04-20 1:44 ` Maciej Żenczykowski [this message]
2011-04-20 1:44 ` [PATCH 2/3] Move common parts of libext{4,6}.a into libext.a Maciej Żenczykowski
2011-04-20 1:44 ` [PATCH 3/3] combine ip6?tables-multi into xtables-multi Maciej Żenczykowski
2011-04-21 9:16 ` Patches: don't call modprobe, ipv4/ipv6 flag support, xtables-multi unification Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1303263886-5665-1-git-send-email-zenczykowski@gmail.com \
--to=zenczykowski@gmail.com \
--cc=maze@google.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).