ip(6)tables-save: Allow chain selection

ip(6)tables-save: Allow chain selection

[Richard Weinberger]

This patch set adds a switch to iptables-save to select
a specific chain to be saved.

Sometimes it's useful to save only one chain.
E.g. When some rules are added dynamically by daemons like
OpenVPN or strongSwan and the base rule set is generated by
a bash script.

Consider this trivial script:
---8<---
#!/bin/sh

# save only the DYN_OVPN chain
iptables-save -t filter -C DYN_OVPN > /tmp/dyn-rules

iptables -F
iptables -X

iptables -A INPUT -s 1.2.3.4 -j ACCEPT
# much more rules...
iptables -A INPUT ... -j ACCEPT

# OpenVPN can insert here rules which get not lost in case
# the base rule set gets modified and reloaded.
iptables -N DYN_OVPN
iptables -A INPUT -i tun+ -j DYN_OVPN

# restore DYN_OVPN chain
iptables-restore -n < /tmp/dyn-rules
rm -f /tmp/dyn-rules
--->8---

[PATCH 1/2] iptables-save: Allow chain selection
[PATCH 2/2] ip6tables-save: Allow chain selection

[PATCH 1/2] iptables-save: Allow chain selection

[Richard Weinberger]

This patch allows an user to select the chain he wants to save.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 iptables/iptables-save.8 |    4 ++
 iptables/iptables-save.c |   76 ++++++++++++++++++++++++++++-----------------
 2 files changed, 51 insertions(+), 29 deletions(-)

diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8
index c2e0a94..f7140d1 100644
--- a/iptables/iptables-save.8
+++ b/iptables/iptables-save.8
@@ -39,6 +39,10 @@ include the current values of all packet and byte counters in the output
 \fB\-t\fR, \fB\-\-table\fR \fItablename\fP
 restrict output to only one table. If not specified, output includes all
 available tables.
+.TP
+\fB\-C\fR, \fB\-\-chain\fR \fIchainname\fP
+restrict output to only one chain. If not specified, output includes all
+available chains.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHOR
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index e599fce..7aea08f 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -22,11 +22,13 @@
 #endif
 
 static int show_counters = 0;
+static char *selected_chain;
 
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "chain",    .has_arg = true,  .val = 'C'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
@@ -55,6 +57,30 @@ static int for_each_table(int (*func)(const char *tablename))
 	return ret;
 }
 
+static void print_chain(const char *chain, struct iptc_handle *h)
+{
+	printf(":%s ", chain);
+	if (iptc_builtin(chain, h)) {
+		struct xt_counters count;
+		printf("%s ",
+		       iptc_get_policy(chain, &count, h));
+		printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+	} else {
+		printf("- [0:0]\n");
+	}
+}
+
+static void print_chain_rules(const char *chain, struct iptc_handle *h)
+{
+	const struct ipt_entry *e;
+
+	/* Dump out rules */
+	e = iptc_first_rule(chain, h);
+	while(e) {
+		print_rule4(e, h, chain, show_counters);
+		e = iptc_next_rule(e, h);
+	}
+}
 
 static int do_output(const char *tablename)
 {
@@ -79,34 +105,22 @@ static int do_output(const char *tablename)
 	       IPTABLES_VERSION, ctime(&now));
 	printf("*%s\n", tablename);
 
-	/* Dump out chain names first,
-	 * thereby preventing dependency conflicts */
-	for (chain = iptc_first_chain(h);
-	     chain;
-	     chain = iptc_next_chain(h)) {
-
-		printf(":%s ", chain);
-		if (iptc_builtin(chain, h)) {
-			struct xt_counters count;
-			printf("%s ",
-			       iptc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
-		} else {
-			printf("- [0:0]\n");
-		}
-	}
-
-	for (chain = iptc_first_chain(h);
-	     chain;
-	     chain = iptc_next_chain(h)) {
-		const struct ipt_entry *e;
-
-		/* Dump out rules */
-		e = iptc_first_rule(chain, h);
-		while(e) {
-			print_rule4(e, h, chain, show_counters);
-			e = iptc_next_rule(e, h);
-		}
+	if (selected_chain) {
+		print_chain(selected_chain, h);
+		print_chain_rules(selected_chain, h);
+	} else {
+		/* Dump out chain names first,
+		 * thereby preventing dependency conflicts */
+		for (chain = iptc_first_chain(h);
+			chain;
+			chain = iptc_next_chain(h))
+			print_chain(chain, h);
+
+
+		for (chain = iptc_first_chain(h);
+			chain;
+			chain = iptc_next_chain(h))
+			print_chain_rules(chain, h);
 	}
 
 	now = time(NULL);
@@ -140,7 +154,7 @@ iptables_save_main(int argc, char *argv[])
 	init_extensions4();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcdt:C:", options, NULL)) != -1) {
 		switch (c) {
 		case 'c':
 			show_counters = 1;
@@ -150,6 +164,10 @@ iptables_save_main(int argc, char *argv[])
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'C':
+			/* Select specific chain. */
+			selected_chain = optarg;
+			break;
 		case 'M':
 			xtables_modprobe_program = optarg;
 			break;
-- 
1.7.6.4

[PATCH 2/2] ip6tables-save: Allow chain selection

[Richard Weinberger]

This patch allows an user to select the chain he wants to save.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 iptables/ip6tables-save.8 |    4 ++
 iptables/ip6tables-save.c |   75 +++++++++++++++++++++++++++-----------------
 2 files changed, 50 insertions(+), 29 deletions(-)

diff --git a/iptables/ip6tables-save.8 b/iptables/ip6tables-save.8
index 457be82..420b10d 100644
--- a/iptables/ip6tables-save.8
+++ b/iptables/ip6tables-save.8
@@ -39,6 +39,10 @@ include the current values of all packet and byte counters in the output
 \fB\-t\fR, \fB\-\-table\fR \fItablename\fP
 restrict output to only one table. If not specified, output includes all
 available tables.
+.TP
+\fB\-C\fR, \fB\-\-chain\fR \fIchainname\fP
+restrict output to only one chain. If not specified, output includes all
+available chains.
 .SH BUGS
 None known as of iptables-1.2.1 release
 .SH AUTHORS
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index d819b30..1bc21c1 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -23,11 +23,13 @@
 #endif
 
 static int show_counters = 0;
+static char *selected_chain;
 
 static const struct option options[] = {
 	{.name = "counters", .has_arg = false, .val = 'c'},
 	{.name = "dump",     .has_arg = false, .val = 'd'},
 	{.name = "table",    .has_arg = true,  .val = 't'},
+	{.name = "chain",    .has_arg = true,  .val = 'C'},
 	{.name = "modprobe", .has_arg = true,  .val = 'M'},
 	{NULL},
 };
@@ -57,6 +59,30 @@ static int for_each_table(int (*func)(const char *tablename))
 	return ret;
 }
 
+static void print_chain(const char *chain, struct xtc_handle *h)
+{
+	printf(":%s ", chain);
+	if (ip6tc_builtin(chain, h)) {
+		struct xt_counters count;
+		printf("%s ",
+		       ip6tc_get_policy(chain, &count, h));
+		printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
+	} else {
+		printf("- [0:0]\n");
+	}
+}
+
+static void print_chain_rules(const char *chain, struct xtc_handle *h)
+{
+	const struct ip6t_entry *e;
+
+	/* Dump out rules */
+	e = ip6tc_first_rule(chain, h);
+	while(e) {
+		print_rule6(e, h, chain, show_counters);
+		e = ip6tc_next_rule(e, h);
+	}
+}
 
 static int do_output(const char *tablename)
 {
@@ -81,34 +107,21 @@ static int do_output(const char *tablename)
 	       IPTABLES_VERSION, ctime(&now));
 	printf("*%s\n", tablename);
 
-	/* Dump out chain names first,
-	 * thereby preventing dependency conflicts */
-	for (chain = ip6tc_first_chain(h);
-	     chain;
-	     chain = ip6tc_next_chain(h)) {
-
-		printf(":%s ", chain);
-		if (ip6tc_builtin(chain, h)) {
-			struct xt_counters count;
-			printf("%s ",
-			       ip6tc_get_policy(chain, &count, h));
-			printf("[%llu:%llu]\n", (unsigned long long)count.pcnt, (unsigned long long)count.bcnt);
-		} else {
-			printf("- [0:0]\n");
-		}
-	}
-
-	for (chain = ip6tc_first_chain(h);
-	     chain;
-	     chain = ip6tc_next_chain(h)) {
-		const struct ip6t_entry *e;
-
-		/* Dump out rules */
-		e = ip6tc_first_rule(chain, h);
-		while(e) {
-			print_rule6(e, h, chain, show_counters);
-			e = ip6tc_next_rule(e, h);
-		}
+	if (selected_chain) {
+		print_chain(selected_chain, h);
+		print_chain_rules(selected_chain, h);
+	} else {
+		/* Dump out chain names first,
+		 * thereby preventing dependency conflicts */
+		for (chain = ip6tc_first_chain(h);
+			chain;
+			chain = ip6tc_next_chain(h))
+			print_chain(chain, h);
+
+		for (chain = ip6tc_first_chain(h);
+			chain;
+			chain = ip6tc_next_chain(h))
+			print_chain_rules(chain, h);
 	}
 
 	now = time(NULL);
@@ -141,7 +154,7 @@ int ip6tables_save_main(int argc, char *argv[])
 	init_extensions6();
 #endif
 
-	while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "bcdt:C:", options, NULL)) != -1) {
 		switch (c) {
 		case 'c':
 			show_counters = 1;
@@ -151,6 +164,10 @@ int ip6tables_save_main(int argc, char *argv[])
 			/* Select specific table. */
 			tablename = optarg;
 			break;
+		case 'C':
+			/* Select specific chain. */
+			selected_chain = optarg;
+			break;
 		case 'M':
 			xtables_modprobe_program = optarg;
 			break;
-- 
1.7.6.4

Re: ip(6)tables-save: Allow chain selection

[Jan Engelhardt]

On Saturday 2011-10-01 17:19, Richard Weinberger wrote:

>This patch set adds a switch to iptables-save to select
>a specific chain to be saved.
>
>Sometimes it's useful to save only one chain.
>E.g. When some rules are added dynamically by daemons like
>OpenVPN or strongSwan and the base rule set is generated by
>a bash script.
>
>iptables-save -t filter -C DYN_OVPN > /tmp/dyn-rules

iptables -S can already select chains and even single rules. We are 
getting to the point where things are implemented redundantly.. hm.

Re: ip(6)tables-save: Allow chain selection

[Richard Weinberger]

[-- Attachment #1: Type: text/plain, Size: 697 bytes --]

Am 01.10.2011 21:13, schrieb Jan Engelhardt:
> On Saturday 2011-10-01 17:19, Richard Weinberger wrote:
> 
>> This patch set adds a switch to iptables-save to select
>> a specific chain to be saved.
>>
>> Sometimes it's useful to save only one chain.
>> E.g. When some rules are added dynamically by daemons like
>> OpenVPN or strongSwan and the base rule set is generated by
>> a bash script.
>>
>> iptables-save -t filter -C DYN_OVPN > /tmp/dyn-rules
> 
> iptables -S can already select chains and even single rules. We are 
> getting to the point where things are implemented redundantly.. hm.

Hmm, good point.
Maybe it's time to drop iptables-save...

Thanks,
//richard


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]