Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Rick Jones <rick.jones2@hp.com>
To: netfilter@vger.kernel.org
Subject: Shortcuts to counting rules?
Date: Wed, 29 Oct 2008 17:20:57 -0700	[thread overview]
Message-ID: <4908FDE9.7040006@hp.com> (raw)

I would like to teach netperf (www.netperf.org) to determine if a 
firewall is enabled and if so how many rules there are.  To that end 
after some searching/stumbling around I have gotten to the prototype 
code at the end of this message.

The downside is that it requires the person compiling netperf to have 
"iptables-dev" (or its equivalent) installed.  I have noticed that at 
the end of the day (so to speak) it comes down to a pair of getsockopt() 
calls against a socket for each tablename.

open("/proc/net/ip_tables_names", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0440, st_size=0, ...}) = 0
mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 
0) = 0x20000000002c8000
read(3, "nat\nmangle\nfilter\n", 1024)  = 18
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"nat\0\0\0\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [1008]) = 0
close(4)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"mangle\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"mangle\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [1776]) = 0
close(4)                                = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 4
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, 
"filter\0\0?\3p\212L\200\t\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, 
"filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [7680]) = 0
close(4)                                = 0

[drift - is it worth teaching strace about those getsockopts?]

Are there any reasonable ways I might relax that requirement that 
iptables-dev be present?  Are some of the datastructures used in the 
getsockopt() calls "stable enough" to do that that netperf could make 
the getsockopt() calls directly without having to pull-in libiptc? 
Netperf does not particularly care about the rules themselves, just 
their number.

thanks,

rick jones

#include <errno.h>
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <time.h>
#include "libiptc/libiptc.h"
#include "iptables.h"

#define NETFW_UNKNONW -1
#define NETFW_IPTABLES 1

static int
count_rules(iptc_handle_t *messiah) {

         const char *chain;
         const struct ipt_entry *rule;
         int count = 0;

         chain = iptc_first_chain(messiah);
         while (chain) {
                 rule = iptc_first_rule(chain,messiah);
                 while (rule) {
                         count++;
                         rule = iptc_next_rule(rule,messiah);
                 }
                 chain = iptc_next_chain(messiah);
         }
         return count;
}

void
get_firewall_info(int *firewalltype, int *rulecount) {

         FILE *namesfile = NULL;
         char tablename[IPT_TABLE_MAXNAMELEN + 1];
         iptc_handle_t messiah;  /* handles, always handles */

         int mycount = 0;
         *firewalltype = NETFW_IPTABLES;
         *rulecount = -1;


         namesfile = fopen("/proc/net/ip_tables_names","r");
         if (!namesfile)
                 return;

         while (fgets(tablename,
                      sizeof(tablename),
                      namesfile)) {
                 /* no end of line is bad */
                 if (tablename[strlen(tablename) - 1] != '\n') {
                         /* we want to signal the problem somehow */
                         /* so set the rulecount to -1 always here */
                         *rulecount = -1;
                         return;
                 }
                 /* but we dont want to have one in our calls */
                 tablename[strlen(tablename) - 1] = '\0';
                 messiah = iptc_init(tablename);
                 mycount += count_rules(&messiah);
                 iptc_free(&messiah);
         }
         *rulecount = mycount;
}

int
main(int argc, char *argv[]) {

         int firewalltype,rulecount;


         get_firewall_info(&firewalltype,&rulecount);
         printf("firewalltype is %d, rulecount 
%d\n",firewalltype,rulecount);

         return 0;
}

             reply	other threads:[~2008-10-30  0:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-10-30  0:20 Rick Jones [this message]
2008-10-30  1:13 ` Shortcuts to counting rules? Philip Craig
2008-10-30 16:40   ` Rick Jones
2008-10-30 18:46     ` Rick Jones
2008-10-31  1:26       ` Rick Jones
2008-10-31  1:39         ` Philip Craig
2008-10-31  1:29     ` Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4908FDE9.7040006@hp.com \
    --to=rick.jones2@hp.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox