* [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled
@ 2014-06-28 7:34 Jethro Beekman
2014-06-28 9:28 ` Pascal Hambourg
2014-07-20 8:58 ` Pascal Hambourg
0 siblings, 2 replies; 3+ messages in thread
From: Jethro Beekman @ 2014-06-28 7:34 UTC (permalink / raw)
To: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 264 bytes --]
Most Linux distributions have IP forwarding disabled and it gets me every time.
The FORWARD chain is pretty much useless with forwarding disabled, so make
ip{,6}tables -L print a message notifying the user instead of actually listing
the contents.
Jethro Beekman
[-- Attachment #2: ip6tables.c.patch --]
[-- Type: text/x-patch, Size: 1925 bytes --]
--- a/iptables/ip6tables.c 2014-06-28 00:20:35.845014216 -0700
+++ b/iptables/ip6tables.c 2014-06-28 00:21:46.729015280 -0700
@@ -42,6 +42,7 @@
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
+#include <glob.h>
#include "ip6tables-multi.h"
#include "xshared.h"
@@ -888,6 +889,40 @@
return ip6tc_delete_chain(chain, handle);
}
+static int is_forwarding_enabled(void)
+{
+ glob_t globbuf;
+ int opened_any=0,forwarding_enabled=0;
+
+ if (glob("/proc/sys/net/ipv6/conf/*/forwarding",GLOB_NOSORT,NULL,&globbuf)==0)
+ {
+ size_t n;
+ for (n=0;n<globbuf.gl_pathc;n++)
+ {
+ if (strncmp(globbuf.gl_pathv[n],"/proc/sys/net/ipv6/conf/",24)==0 && (strncmp(globbuf.gl_pathv[n]+24,"all/",4)==0 || strncmp(globbuf.gl_pathv[n]+24,"default/",8)==0))
+ continue;
+ FILE* fp=fopen(globbuf.gl_pathv[n],"r");
+ if (fp)
+ {
+ int c=fgetc(fp);
+ if (c!=EOF)
+ {
+ opened_any=1;
+ forwarding_enabled|=c-'0';
+ }
+ fclose(fp);
+ }
+ }
+
+ globfree(&globbuf);
+ }
+
+ if (opened_any==0)
+ forwarding_enabled=1;
+
+ return forwarding_enabled;
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -916,6 +951,7 @@
this = ip6tc_next_chain(handle)) {
const struct ip6t_entry *i;
unsigned int num;
+ int hide_forward = 0;
if (chain && strcmp(chain, this) != 0)
continue;
@@ -923,7 +959,18 @@
if (found) printf("\n");
if (!rulenum)
- print_header(format, this, handle);
+ {
+ if (!is_forwarding_enabled() && 0==strcmp("FORWARD", this))
+ hide_forward = 1;
+ if (hide_forward)
+ {
+ printf("WARNING: Hiding chain FORWARD because no interfaces have IP forwarding enabled.\n");
+ found=1;
+ continue;
+ }
+ else
+ print_header(format, this, handle);
+ }
i = ip6tc_first_rule(this, handle);
num = 0;
[-- Attachment #3: iptables.c.patch --]
[-- Type: text/x-patch, Size: 1896 bytes --]
--- a/iptables/iptables.c 2013-03-03 13:40:11.000000000 -0800
+++ b/iptables/iptables.c 2014-06-27 17:20:47.109648316 -0700
@@ -39,6 +39,7 @@
#include <iptables.h>
#include <xtables.h>
#include <fcntl.h>
+#include <glob.h>
#include "xshared.h"
#ifndef TRUE
@@ -871,6 +874,40 @@
return iptc_delete_chain(chain, handle);
}
+static int is_forwarding_enabled(void)
+{
+ glob_t globbuf;
+ int opened_any=0,forwarding_enabled=0;
+
+ if (glob("/proc/sys/net/ipv4/conf/*/forwarding",GLOB_NOSORT,NULL,&globbuf)==0)
+ {
+ size_t n;
+ for (n=0;n<globbuf.gl_pathc;n++)
+ {
+ if (strncmp(globbuf.gl_pathv[n],"/proc/sys/net/ipv4/conf/",24)==0 && (strncmp(globbuf.gl_pathv[n]+24,"all/",4)==0 || strncmp(globbuf.gl_pathv[n]+24,"default/",8)==0))
+ continue;
+ FILE* fp=fopen(globbuf.gl_pathv[n],"r");
+ if (fp)
+ {
+ int c=fgetc(fp);
+ if (c!=EOF)
+ {
+ opened_any=1;
+ forwarding_enabled|=c-'0';
+ }
+ fclose(fp);
+ }
+ }
+
+ globfree(&globbuf);
+ }
+
+ if (opened_any==0)
+ forwarding_enabled=1;
+
+ return forwarding_enabled;
+}
+
static int
list_entries(const xt_chainlabel chain, int rulenum, int verbose, int numeric,
int expanded, int linenumbers, struct xtc_handle *handle)
@@ -899,6 +936,7 @@
this = iptc_next_chain(handle)) {
const struct ipt_entry *i;
unsigned int num;
+ int hide_forward = 0;
if (chain && strcmp(chain, this) != 0)
continue;
@@ -906,7 +944,18 @@
if (found) printf("\n");
if (!rulenum)
- print_header(format, this, handle);
+ {
+ if (!is_forwarding_enabled() && 0==strcmp("FORWARD", this))
+ hide_forward = 1;
+ if (hide_forward)
+ {
+ printf("WARNING: Hiding chain FORWARD because no interfaces have IP forwarding enabled.\n");
+ found=1;
+ continue;
+ }
+ else
+ print_header(format, this, handle);
+ }
i = iptc_first_rule(this, handle);
num = 0;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled
2014-06-28 7:34 [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled Jethro Beekman
@ 2014-06-28 9:28 ` Pascal Hambourg
2014-07-20 8:58 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2014-06-28 9:28 UTC (permalink / raw)
To: Jethro Beekman; +Cc: netfilter-devel
Jethro Beekman a écrit :
> Most Linux distributions have IP forwarding disabled and it gets me every time.
> The FORWARD chain is pretty much useless with forwarding disabled, so make
> ip{,6}tables -L print a message notifying the user instead of actually listing
> the contents.
As a user I prefer to have the ability to check rules in the FORWARD
chains before enabling IP forwarding.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled
2014-06-28 7:34 [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled Jethro Beekman
2014-06-28 9:28 ` Pascal Hambourg
@ 2014-07-20 8:58 ` Pascal Hambourg
1 sibling, 0 replies; 3+ messages in thread
From: Pascal Hambourg @ 2014-07-20 8:58 UTC (permalink / raw)
To: Jethro Beekman; +Cc: netfilter-devel
Jethro Beekman a écrit :
> The FORWARD chain is pretty much useless with forwarding disabled
Not on a bridge with bridge-nf enabled (which is the default).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-20 8:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-06-28 7:34 [RFC PATCH iptables] Hide FORWARD chain if forwarding is not enabled Jethro Beekman
2014-06-28 9:28 ` Pascal Hambourg
2014-07-20 8:58 ` Pascal Hambourg
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.