From 97fd91a58e7978338451471cfc2cd5ead3b22f26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A1s=20Kis-Szab=C3=B3?= Date: Sun, 3 Mar 2002 09:44:31 +0000 Subject: add ip6tables-save/restore manpages; sync with ipv4 (kisza) --- ip6tables-restore.8 | 51 +++++++++++++ ip6tables-restore.c | 202 +++++++++++++++++++++++++++------------------------- ip6tables-save.8 | 50 +++++++++++++ ip6tables-save.c | 59 ++++++++------- 4 files changed, 234 insertions(+), 128 deletions(-) create mode 100644 ip6tables-restore.8 create mode 100644 ip6tables-save.8 diff --git a/ip6tables-restore.8 b/ip6tables-restore.8 new file mode 100644 index 00000000..376c12ea --- /dev/null +++ b/ip6tables-restore.8 @@ -0,0 +1,51 @@ +.TH IP6TABLES-RESTORE 8 "Jan 30, 2002" "" "" +.\" +.\" Man page written by Harald Welte +.\" It is based on the ipptables man page. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +ip6tables-restore \- Restore IPv6 Tables +.SH SYNOPSIS +.BR "ip6tables-restore " "[-c] [-n]" +.br +.SH DESCRIPTION +.PP +.B ip6tables-restore +is used to restore IPv6 Tables from data specified on STDIN. Use +I/O redirection provided by your shell to read from a file +.TP +\fB\-c\fR, \fB\-\-counters\fR +restore the values of all packet and byte counters +.TP +\fB\-n\fR, \fB\-\-noflush\fR +.TP +don't flush the previous contents of the table. If not specified, +.B ip6tables-restore +flushes (deletes) all previous contents of the respective IPv6 Table. +.SH BUGS +None known as of iptables-1.2.1 release +.SH AUTHORS +Harald Welte +.br +Andras Kis-Szabo +.SH SEE ALSO +.BR ip6tables-save "(8), " ip6tables "(8) " +.PP +The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, +which details NAT, and the netfilter-hacking-HOWTO which details the +internals. diff --git a/ip6tables-restore.c b/ip6tables-restore.c index 1b54b237..d75507d6 100644 --- a/ip6tables-restore.c +++ b/ip6tables-restore.c @@ -6,6 +6,7 @@ * Harald Welte * Rusty Russell * + * $Id: ip6tables-restore.c,v 1.20 2002/01/17 20:43:10 laforge Exp $ */ #include @@ -22,9 +23,11 @@ #define DEBUGP(x, args...) #endif +/* extern int for_each_chain(int (*fn)(const ip6t_chainlabel, int, ip6tc_handle_t *), int verbose, int builtinstoo, ip6tc_handle_t *handle); extern int flush_entries(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle); extern int delete_chain(const ip6t_chainlabel chain, int verbose, ip6tc_handle_t *handle); +*/ static int binary = 0, counters = 0, verbose = 0, noflush = 0; @@ -32,7 +35,7 @@ static int binary = 0, counters = 0, verbose = 0, noflush = 0; static struct option options[] = { { "binary", 0, 0, 'b' }, { "counters", 0, 0, 'c' }, -/* { "verbose", 1, 0, 'v' }, */ + { "verbose", 1, 0, 'v' }, { "help", 0, 0, 'h' }, { "noflush", 0, 0, 'n'}, { "modprobe", 1, 0, 'M'}, @@ -61,9 +64,9 @@ ip6tc_handle_t create_handle(const char *tablename, const char* modprobe) handle = ip6tc_init(tablename); if (!handle) { - /* try to insmod the module if iptc_init failed */ - ip6tables_insmod("ip6_tables", modprobe); - handle = ip6tc_init(tablename); + /* try to insmod the module if iptc_init failed */ + ip6tables_insmod("ip6_tables", modprobe); + handle = ip6tc_init(tablename); } if (!handle) { @@ -84,21 +87,22 @@ static char *newargv[255]; static int newargc; /* function adding one argument to newargv, updating newargc - * * returns true if argument added, false otherwise */ + * returns true if argument added, false otherwise */ static int add_argv(char *what) { - if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) { - newargv[newargc] = strdup(what); - newargc++; - return 1; - } else - return 0; + DEBUGP("add_argv: %s\n", what); + if (what && ((newargc + 1) < sizeof(newargv)/sizeof(char *))) { + newargv[newargc] = strdup(what); + newargc++; + return 1; + } else + return 0; } static void free_argv(void) { - int i; + int i; - for (i = 0; i < newargc; i++) - free(newargv[i]); + for (i = 0; i < newargc; i++) + free(newargv[i]); } int main(int argc, char *argv[]) @@ -126,6 +130,9 @@ int main(int argc, char *argv[]) case 'c': counters = 1; break; + case 'v': + verbose = 1; + break; case 'h': print_usage("ip6tables-restore", NETFILTER_VERSION); @@ -152,7 +159,7 @@ int main(int argc, char *argv[]) exit(1); } else in = stdin; - + /* Grab standard input. */ while (fgets(buffer, sizeof(buffer), in)) { int ret; @@ -208,12 +215,12 @@ int main(int argc, char *argv[]) } if (!ip6tc_builtin(chain, handle)) { - DEBUGP("Creating new chain '%s'\n", curchain); + DEBUGP("Creating new chain '%s'\n", chain); if (!ip6tc_create_chain(chain, &handle)) - exit_error(PARAMETER_PROBLEM, - "error creating chain " - "'%s':%s\n", chain, - strerror(errno)); + exit_error(PARAMETER_PROBLEM, + "error creating chain " + "'%s':%s\n", chain, + strerror(errno)); } policy = strtok(NULL, " \t\n"); @@ -258,17 +265,17 @@ int main(int argc, char *argv[]) char *ptr = buffer; char *pcnt = NULL; char *bcnt = NULL; - char *parsestart; + char *parsestart; - /* the parser */ - char *param_start, *curchar; - int quote_open; + /* the parser */ + char *param_start, *curchar; + int quote_open; - /* reset the newargv */ - newargc = 0; + /* reset the newargv */ + newargc = 0; if (buffer[0] == '[') { - /* we have counters in our input */ + /* we have counters in our input */ ptr = strchr(buffer, ']'); if (!ptr) exit_error(PARAMETER_PROBLEM, @@ -276,73 +283,72 @@ int main(int argc, char *argv[]) line); pcnt = strtok(buffer+1, ":"); - if (!pcnt) - exit_error(PARAMETER_PROBLEM, - "Bad line %u: need :\n", - line); + if (!pcnt) + exit_error(PARAMETER_PROBLEM, + "Bad line %u: need :\n", + line); bcnt = strtok(NULL, "]"); - if (!bcnt) - exit_error(PARAMETER_PROBLEM, - "Bad line %u: need ]\n", - line); - - /* start command parsing after counter */ - parsestart = ptr + 1; - } else { - /* start command parsing at start of line */ - parsestart = buffer; - } - - add_argv(argv[0]); - add_argv("-t"); - add_argv((char *) &curtable); + if (!bcnt) + exit_error(PARAMETER_PROBLEM, + "Bad line %u: need ]\n", + line); -/* IP6TABLES doesn't support this + /* start command parsing after counter */ + parsestart = ptr + 1; + } else { + /* start command parsing at start of line */ + parsestart = buffer; + } + + add_argv(argv[0]); + add_argv("-t"); + add_argv((char *) &curtable); + if (counters && pcnt && bcnt) { - newargv[5] = "--set-counters"; - newargv[6] = (char *) pcnt; - newargv[7] = (char *) bcnt; + add_argv("--set-counters"); + add_argv((char *) pcnt); + add_argv((char *) bcnt); } -*/ - - /* After fighting with strtok enough, here's now - * a 'real' parser. According to Rusty I'm now no - * longer a real hacker, but I can live with that */ - - quote_open = 0; - param_start = parsestart; - - for (curchar = parsestart; *curchar; curchar++) { - if (*curchar == '"') { - if (quote_open) { - quote_open = 0; - *curchar = ' '; - } else { - quote_open = 1; - param_start++; - } - } - if (*curchar == ' ' - || *curchar == '\t' - || * curchar == '\n') { - char param_buffer[1024]; - int param_len = curchar-param_start; - - if (quote_open) - continue; - - if (!param_len) { - /* two spaces? */ - param_start++; - continue; - } - - /* end of one parameter */ - strncpy(param_buffer, param_start, - param_len); - *(param_buffer+param_len) = '\0'; + /* After fighting with strtok enough, here's now + * a 'real' parser. According to Rusty I'm now no + * longer a real hacker, but I can live with that */ + + quote_open = 0; + param_start = parsestart; + + for (curchar = parsestart; *curchar; curchar++) { + if (*curchar == '"') { + if (quote_open) { + quote_open = 0; + *curchar = ' '; + } else { + quote_open = 1; + param_start++; + } + } + if (*curchar == ' ' + || *curchar == '\t' + || * curchar == '\n') { + char param_buffer[1024]; + int param_len = curchar-param_start; + + if (quote_open) + continue; + + if (!param_len) { + /* two spaces? */ + param_start++; + continue; + } + + /* end of one parameter */ + strncpy(param_buffer, param_start, + param_len); + *(param_buffer+param_len) = '\0'; + + /* check if table name specified */ if (!strncmp(param_buffer, "-t", 3) || !strncmp(param_buffer, "--table", 8)) { exit_error(PARAMETER_PROBLEM, @@ -351,23 +357,23 @@ int main(int argc, char *argv[]) exit(1); } - add_argv(param_buffer); - param_start += param_len + 1; - } else { - /* regular character, skip */ - } - } + add_argv(param_buffer); + param_start += param_len + 1; + } else { + /* regular character, skip */ + } + } DEBUGP("calling do_command6(%u, argv, &%s, handle):\n", - newargc, curtable); + newargc, curtable); - for (a = 0; a <= newargc; a++) + for (a = 0; a < newargc; a++) DEBUGP("argv[%u]: %s\n", a, newargv[a]); ret = do_command6(newargc, newargv, - &newargv[2], &handle); + &newargv[2], &handle); - free_argv(); + free_argv(); } if (!ret) { fprintf(stderr, "%s: line %u failed\n", diff --git a/ip6tables-save.8 b/ip6tables-save.8 new file mode 100644 index 00000000..01ff7351 --- /dev/null +++ b/ip6tables-save.8 @@ -0,0 +1,50 @@ +.TH IP6TABLES-SAVE 8 "Jan 30, 2002" "" "" +.\" +.\" Man page written by Harald Welte +.\" It is based on the ipptables man page. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation; either version 2 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program; if not, write to the Free Software +.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +.\" +.\" +.SH NAME +ip6tables-save \- Save IPv6 Tables +.SH SYNOPSIS +.BR "ip6tables-save " "[-c] [-t table]" +.br +.SH DESCRIPTION +.PP +.B ip6tables-save +is used to dump the contents of an IPv6 Table in easily parseable format +to STDOUT. Use I/O-redirection provided by your shell to write to a file. +.TP +\fB\-c\fR, \fB\-\-counters\fR +include the current values of all packet and byte counters in the output +.TP +\fB\-t\fR, \fB\-\-table\fR \fBtablename\fR +.TP +restrict output to only one table. If not specified, output includes all +available tables. +.SH BUGS +None known as of iptables-1.2.1 release +.SH AUTHORS +Harald Welte +.br +Andras Kis-Szabo +.SH SEE ALSO +.BR ip6tables-restore "(8), " ip6tables "(8) " +.PP +The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO, +which details NAT, and the netfilter-hacking-HOWTO which details the +internals. diff --git a/ip6tables-save.c b/ip6tables-save.c index d3ad7090..4ec1bf41 100644 --- a/ip6tables-save.c +++ b/ip6tables-save.c @@ -17,10 +17,6 @@ #include "libiptc/libip6tc.h" #include "ip6tables.h" -#ifndef IP6T_LIB_DIR -#define IP6T_LIB_DIR "/usr/local/lib/iptables" -#endif - static int binary = 0, counters = 0; static struct option options[] = { @@ -31,8 +27,10 @@ static struct option options[] = { { 0 } }; +/* extern struct ip6tables_match *find_match(const char *name, enum ip6t_tryload tryload); extern struct ip6tables_target *find_target(const char *name, enum ip6t_tryload tryload); +*/ /* This assumes that mask is contiguous, and byte-bounded. */ static void @@ -51,7 +49,9 @@ print_iface(char letter, const char *iface, const unsigned char *mask, if (iface[i] != '\0') printf("%c", iface[i]); } else { - if (iface[i] == '\0') + /* we can access iface[i-1] here, because + * a few lines above we make sure that mask[0] != 0 */ + if (iface[i-1] != '\0') printf("+"); break; } @@ -131,22 +131,15 @@ static void print_ip(char *prefix, const struct in6_addr *ip, const struct in6_a if (!mask && !ip) return; - printf("%s %s%s/", + printf("%s %s%s", prefix, invert ? "! " : "", inet_ntop(AF_INET6, ip, buf, sizeof buf)); if (l == -1) - printf("%s ", inet_ntop(AF_INET6, mask, buf, sizeof buf)); - else - printf("%d ", l); - -#if 0 - if (mask != 0xffffffff) - printf("/%u.%u.%u.%u ", IP_PARTS(mask)); + printf("/%s ", inet_ntop(AF_INET6, mask, buf, sizeof buf)); else - printf(" "); -#endif + printf("/%d ", l); } /* We want this to be readable, so only print out neccessary fields. @@ -180,15 +173,13 @@ static void print_rule(const struct ip6t_entry *e, print_proto(e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO); #if 0 - // not definied in ipv6 - // FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? + /* not definied in ipv6 + * FIXME: linux/netfilter_ipv6/ip6_tables: IP6T_INV_FRAG why definied? */ if (e->ipv6.flags & IPT_F_FRAG) printf("%s-f ", e->ipv6.invflags & IP6T_INV_FRAG ? "! " : ""); #endif - // TODO: i've got some problem with the code - under understanding ;) - // How can I set this? if (e->ipv6.flags & IP6T_F_TOS) printf("%s-? %d ", e->ipv6.invflags & IP6T_INV_TOS ? "! " : "", @@ -201,8 +192,8 @@ static void print_rule(const struct ip6t_entry *e, /* Print target name */ target_name = ip6tc_get_target(e, h); - if (target_name && *target_name != '\0') - printf("-j %s ", ip6tc_get_target(e, h)); + if (target_name && (*target_name != '\0')) + printf("-j %s ", target_name); /* Print targinfo part */ t = ip6t_get_target((struct ip6t_entry *)e); @@ -210,14 +201,22 @@ static void print_rule(const struct ip6t_entry *e, struct ip6tables_target *target = find_target(t->u.user.name, TRY_LOAD); - if (target) + if (!target) { + fprintf(stderr, "Can't find library for target `%s'\n", + t->u.user.name); + exit(1); + } + + if (target->save) target->save(&e->ipv6, t); else { - /* If some bits are non-zero, it implies we *need* - to understand it */ - if (t->u.target_size) { - fprintf(stderr, - "Can't find library for target `%s'\n", + /* If the target size is greater than ip6t_entry_target + * there is something to be saved, we just don't know + * how to print it */ + if (t->u.target_size != + sizeof(struct ip6t_entry_target)) { + fprintf(stderr, "Target `%s' is missing " + "save function\n", t->u.user.name); exit(1); } @@ -287,10 +286,11 @@ static int do_output(const char *tablename) } } + for (chain = ip6tc_first_chain(&h); chain; chain = ip6tc_next_chain(&h)) { - const struct ip6t_entry *e; + const struct ip6t_entry *e; /* Dump out rules */ e = ip6tc_first_rule(chain, &h); @@ -327,7 +327,7 @@ int main(int argc, char *argv[]) init_extensions(); #endif - while ((c = getopt_long(argc, argv, "bc", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) { switch (c) { case 'b': binary = 1; @@ -341,7 +341,6 @@ int main(int argc, char *argv[]) /* Select specific table. */ tablename = optarg; break; - case 'd': do_output(tablename); exit(0); -- cgit v1.2.3