o serveral changes / additions to libiptc:

  - iptc_set_policy has additional argument 'counters' to be consistent
    with iptc_get_policy
  - added functions for counter manipulation
    (iptc_read_counter, iptc_zero_counter, iptc_set_counter)
o iptables-save and iptables-restore manpage clearifications
o iptables-restore counter restoring for chain counters

8 files changed, 45 insertions, 10 deletions

diff --git a/ip6tables-standalone.c b/ip6tables-standalone.c
index e2b10f88..f6b362c2 100644
--- a/ip6tables-standalone.c
+++ b/ip6tables-standalone.c
@@ -25,6 +25,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <errno.h>
 #include <ip6tables.h>
 
diff --git a/ip6tables.c b/ip6tables.c
index 31e5f528..045b4baa 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1976,7 +1976,7 @@ int do_command6(int argc, char *argv[], char **table, ip6tc_handle_t *handle)
 		ret = ip6tc_rename_chain(chain, newname,	handle);
 		break;
 	case CMD_SET_POLICY:
-		ret = ip6tc_set_policy(chain, policy, handle);
+		ret = ip6tc_set_policy(chain, policy, NULL, handle);
 		break;
 	default:
 		/* We should never reach this... */
diff --git a/iptables-restore.8 b/iptables-restore.8
index cb0b902c..590015e3 100644
--- a/iptables-restore.8
+++ b/iptables-restore.8
@@ -44,10 +44,17 @@ This raises some dependency problems when using the unmodified output of
 .B iptables-restore
 as input for
 .B iptables-restore.
+.PP
 Expect this to be fixed in the next iptables release.
+.PP
 To make it work, reorder the output in a way that in every table, all 
 user-defined chains are created before any other chain uses this chain
 as target.
+.PP
+.B iptables-restore
+does only restore the counter values of the builtin chains, and 
+.B NOT
+the individual counters of each rule. 
 .SH AUTHOR
 Harald Welte <laforge@gnumonks.org>
 .SH SEE ALSO
diff --git a/iptables-restore.c b/iptables-restore.c
index 27ea4e3c..dbee1b67 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -58,6 +58,10 @@ iptc_handle_t create_handle(const char *tablename)
 	return handle;
 }
 
+int parse_counters(char *string, struct ipt_counters *ctr)
+{
+	return (sscanf(string, "[%llu:%llu]", &ctr->pcnt, &ctr->bcnt) == 2);
+}
 
 int main(int argc, char *argv[])
 {
@@ -159,8 +163,6 @@ int main(int argc, char *argv[])
 			/* New chain. */
 			char *policy, *chain;
 
-			/* FIXME: Don't ignore counters. */
-
 			chain = strtok(buffer+1, " \t\n");
 			DEBUGP("line %u, chain '%s'\n", line, chain);
 			if (!chain) {
@@ -189,11 +191,24 @@ int main(int argc, char *argv[])
 			}
 
 			if (strcmp(policy, "-") != 0) {
+				struct ipt_counters count;
+
+				if (counters) {
+					char *ctrs;
+					ctrs = strtok(NULL, " \t\n");
+
+					parse_counters(ctrs, &count);
+
+				} else {
+					memset(&count, 0, 
+					       sizeof(struct ipt_counters));
+				}
 
 				DEBUGP("Setting policy of chain %s to %s\n",
 					chain, policy);
 
-				if (!iptc_set_policy(chain, policy, &handle))
+				if (!iptc_set_policy(chain, policy, &count,
+						     &handle))
 					exit_error(OTHER_PROBLEM,
 						"Can't set policy `%s'"
 						" on `%s' line %u: %s\n",
@@ -207,16 +222,25 @@ int main(int argc, char *argv[])
 			char *newargv[1024];
 			int i,a;
 			char *ptr = buffer;
+			char *ctrs = NULL;
+			struct ipt_counters count;
 
-			/* FIXME: Don't ignore counters. */
 			if (buffer[0] == '[') {
 				ptr = strchr(buffer, ']');
 				if (!ptr)
 					exit_error(PARAMETER_PROBLEM,
 						   "Bad line %u: need ]\n",
 						   line);
+				ctrs = strtok(ptr, " \t\n");
+			}
+
+			if (counters && ctrs) {
+
+				parse_counters(ctrs, &count);
 			}
 
+			/* FIXME: Don't ignore counters. */
+
 			newargv[0] = argv[0];
 			newargv[1] = "-t";
 			newargv[2] = (char *) &curtable;
@@ -225,7 +249,7 @@ int main(int argc, char *argv[])
 
 			/* strtok: a function only a coder could love */
 			for (i = 5; i < sizeof(newargv)/sizeof(char *); i++) {
-				if (!(newargv[i] = strtok(ptr, " \t\n")))
+				if (!(newargv[i] = strtok(NULL, " \t\n")))
 					break;
 				ptr = NULL;
 			}
diff --git a/iptables-save.8 b/iptables-save.8
index ff273549..32b70ef2 100644
--- a/iptables-save.8
+++ b/iptables-save.8
@@ -43,7 +43,9 @@ This raises some dependency problems when using the unmodified output of
 .B iptables-save
 as input for
 .B iptables-restore.
+.PP
 Expect this to be fixed in the next iptables release.
+.PP
 To make it work, reorder the output in a way that in every table, all 
 user-defined chains are created before any other chain uses this chain
 as target.
diff --git a/iptables-save.c b/iptables-save.c
index 413e1ad3..a97d4481 100644
--- a/iptables-save.c
+++ b/iptables-save.c
@@ -145,7 +145,7 @@ static void print_rule(const struct ipt_entry *e,
 
 	/* print counters */
 	if (counters)
-		printf("[%llu,%llu] ", e->counters.pcnt, e->counters.bcnt);
+		printf("[%llu:%llu] ", e->counters.pcnt, e->counters.bcnt);
 
 	/* Print IP part. */
 	print_ip("-s", e->ip.src.s_addr,e->ip.smsk.s_addr,
@@ -251,9 +251,9 @@ static int do_output(const char *tablename)
 				struct ipt_counters count;
 				printf("%s ",
 				       iptc_get_policy(chain, &count, &h));
-				printf("%llu:%llu\n", count.pcnt, count.bcnt);
+				printf("[%llu:%llu]\n", count.pcnt, count.bcnt);
 			} else {
-				printf("- 0 0\n");
+				printf("- [0:0]\n");
 			}
 
 			/* Dump out rules */
diff --git a/iptables-standalone.c b/iptables-standalone.c
index 7bd3a48f..102c0f39 100644
--- a/iptables-standalone.c
+++ b/iptables-standalone.c
@@ -27,6 +27,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <errno.h>
+#include <string.h>
 #include <iptables.h>
 
 int
diff --git a/iptables.c b/iptables.c
index e6b02889..2079b682 100644
--- a/iptables.c
+++ b/iptables.c
@@ -2195,7 +2195,7 @@ int do_command(int argc, char *argv[], char **table, iptc_handle_t *handle)
 		ret = iptc_rename_chain(chain, newname,	handle);
 		break;
 	case CMD_SET_POLICY:
-		ret = iptc_set_policy(chain, policy, handle);
+		ret = iptc_set_policy(chain, policy, NULL, handle);
 		break;
 	default:
 		/* We should never reach this... */