[PATCH] iptables: Sort table names in ip[6]tables-save

[PATCH] iptables: Sort table names in ip[6]tables-save

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 404 bytes --]

Depending upon the load order of rules, the output from ip[6]tables-save
will vary, as ip[6]_tables_names is sorted LIFO.  As reported by
Linus van Geuns, this makes comparing output from ip[6]tables-save across
reboots difficult.  Fix this by sorting table names prior to walking
the tables, making output consistent.

This closes bugzilla #580.

Phil

Signed-off-by: Phil Oester <kernel@linuxace.com>


[-- Attachment #2: patch-sort-tables --]
[-- Type: text/plain, Size: 2917 bytes --]

diff --git a/include/xtables.h b/include/xtables.h
index c35a6e6..dc6e566 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -479,6 +479,8 @@ extern void xtables_ip6parse_any(const char *, struct in6_addr **,
 extern void xtables_ip6parse_multiple(const char *, struct in6_addr **,
 	struct in6_addr **, unsigned int *);
 
+extern int stringcmp(const void *, const void *);
+
 /**
  * Print the specified value to standard output, quoting dangerous
  * characters if required.
diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
index d819b30..7ec0f75 100644
--- a/iptables/ip6tables-save.c
+++ b/iptables/ip6tables-save.c
@@ -36,8 +36,9 @@ static const struct option options[] = {
 /* Debugging prototype. */
 static int for_each_table(int (*func)(const char *tablename))
 {
-	int ret = 1;
+	int i, count = 0, ret = 1;
 	FILE *procfile = NULL;
+	char **tables = NULL;
 	char tablename[XT_TABLE_MAXNAMELEN+1];
 
 	procfile = fopen("/proc/net/ip6_tables_names", "re");
@@ -50,10 +51,17 @@ static int for_each_table(int (*func)(const char *tablename))
 				   "Badly formed tablename `%s'\n",
 				   tablename);
 		tablename[strlen(tablename) - 1] = '\0';
-		ret &= func(tablename);
+		count++;
+		tables = (char **)realloc(tables, sizeof(char*)*count);
+		tables[count-1] = strdup(tablename);
 	}
-
 	fclose(procfile);
+
+	qsort(tables, count, sizeof(char *), stringcmp);
+	for (i = 0 ; i < count ; i++) {
+		ret &= func(tables[i]);
+	}
+
 	return ret;
 }
 
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index e599fce..802f94d 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -34,8 +34,9 @@ static const struct option options[] = {
 /* Debugging prototype. */
 static int for_each_table(int (*func)(const char *tablename))
 {
-	int ret = 1;
+	int i, count = 0, ret = 1;
 	FILE *procfile = NULL;
+	char **tables = NULL;
 	char tablename[XT_TABLE_MAXNAMELEN+1];
 
 	procfile = fopen("/proc/net/ip_tables_names", "re");
@@ -48,10 +49,17 @@ static int for_each_table(int (*func)(const char *tablename))
 				   "Badly formed tablename `%s'\n",
 				   tablename);
 		tablename[strlen(tablename) - 1] = '\0';
-		ret &= func(tablename);
+		count++;
+		tables = (char **)realloc(tables, sizeof(char*)*count);
+		tables[count-1] = strdup(tablename);
 	}
-
 	fclose(procfile);
+
+	qsort(tables, count, sizeof(char *), stringcmp);
+	for (i = 0 ; i < count ; i++) {
+		ret &= func(tables[i]);
+	}
+
 	return ret;
 }
 
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ebc77b6..ca94f4e 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1957,3 +1957,10 @@ void get_kernel_version(void)
 	sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
 	kernel_version = LINUX_VERSION(x, y, z);
 }
+
+int stringcmp(const void *a, const void *b) 
+{ 
+	const char **ia = (const char **)a;
+	const char **ib = (const char **)b;
+	return strcmp(*ia, *ib);
+} 

Re: [PATCH] iptables: Sort table names in ip[6]tables-save

[Phil Oester]

On Mon, Jul 01, 2013 at 09:43:19PM -0700, Maciej Żenczykowski wrote:
> I haven't looked at the patch, but I'm guessing there should be a way
> to disable this.

Why?  Today the behavior is random.  If you added a NAT table rule
before a FORWARD table rule, the NAT rules would be at the bottom
of the iptables-save output.  You're suggesting that completely
random behavior should be the _default_?  Isn't deterministic
behavior a better default?

Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] iptables: Sort table names in ip[6]tables-save

[Maciej Żenczykowski]

I haven't looked at the patch, but I'm guessing there should be a way
to disable this.

Re: [PATCH] iptables: Sort table names in ip[6]tables-save

[Maciej Żenczykowski]

> Why?  Today the behavior is random.  If you added a NAT table rule
> before a FORWARD table rule, the NAT rules would be at the bottom
> of the iptables-save output.  You're suggesting that completely
> random behavior should be the _default_?  Isn't deterministic
> behavior a better default?

I didn't say it should be the default.
I said there should be a way to disable the sorting.
Getting a dump as close as possible to the kernels view of the
situation is potentially desirable when debugging stuff.