* [PATCH] iptables-save: add --chain argument, limits output to a chain
@ 2013-02-26 11:33 jonh.wendell
2013-02-26 14:48 ` Jan Engelhardt
0 siblings, 1 reply; 7+ messages in thread
From: jonh.wendell @ 2013-02-26 11:33 UTC (permalink / raw)
To: netfilter-devel; +Cc: Jonh Wendell
From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
Similar to the --table argument, if a --chain (or -C) argument
is passed, we limit the output to rules of that chain.
Signed-off-by: Jonh Wendell <jonh.wendell@oiwifi.com.br>
---
iptables/iptables-save.8 | 8 ++++++--
iptables/iptables-save.c | 13 ++++++++++++-
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/iptables/iptables-save.8 b/iptables/iptables-save.8
index c2e0a94..2f510d0 100644
--- a/iptables/iptables-save.8
+++ b/iptables/iptables-save.8
@@ -1,4 +1,4 @@
-.TH IPTABLES-SAVE 8 "Jan 04, 2001" "" ""
+.TH IPTABLES-SAVE 8 "Feb 25, 2013" "" ""
.\"
.\" Man page written by Harald Welte <laforge@gnumonks.org>
.\" It is based on the iptables man page.
@@ -22,7 +22,7 @@
iptables-save \(em dump iptables rules to stdout
.SH SYNOPSIS
\fBiptables\-save\fP [\fB\-M\fP \fImodprobe\fP] [\fB\-c\fP]
-[\fB\-t\fP \fItable\fP]
+[\fB\-t\fP \fItable\fP] [\fB\-C\fP \fIchain\fP]
.SH DESCRIPTION
.PP
.B iptables-save
@@ -39,6 +39,10 @@ include the current values of all packet and byte counters in the output
\fB\-t\fR, \fB\-\-table\fR \fItablename\fP
restrict output to only one table. If not specified, output includes all
available tables.
+.TP
+\fB\-C\fR, \fB\-\-chain\fR \fIchainname\fP
+restrict output to only one chain. If not specified, output includes all
+available chains.
.SH BUGS
None known as of iptables-1.2.1 release
.SH AUTHOR
diff --git a/iptables/iptables-save.c b/iptables/iptables-save.c
index e599fce..aae77b6 100644
--- a/iptables/iptables-save.c
+++ b/iptables/iptables-save.c
@@ -22,12 +22,14 @@
#endif
static int show_counters = 0;
+static char *chainname = NULL;
static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "dump", .has_arg = false, .val = 'd'},
{.name = "table", .has_arg = true, .val = 't'},
{.name = "modprobe", .has_arg = true, .val = 'M'},
+ {.name = "chain", .has_arg = true, .val = 'C'},
{NULL},
};
@@ -85,6 +87,9 @@ static int do_output(const char *tablename)
chain;
chain = iptc_next_chain(h)) {
+ if (chainname && *chainname && strcmp(chain, chainname))
+ continue;
+
printf(":%s ", chain);
if (iptc_builtin(chain, h)) {
struct xt_counters count;
@@ -101,6 +106,9 @@ static int do_output(const char *tablename)
chain = iptc_next_chain(h)) {
const struct ipt_entry *e;
+ if (chainname && *chainname && strcmp(chain, chainname))
+ continue;
+
/* Dump out rules */
e = iptc_first_rule(chain, h);
while(e) {
@@ -140,7 +148,7 @@ iptables_save_main(int argc, char *argv[])
init_extensions4();
#endif
- while ((c = getopt_long(argc, argv, "bcdt:", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "bcdt:C:", options, NULL)) != -1) {
switch (c) {
case 'c':
show_counters = 1;
@@ -153,6 +161,9 @@ iptables_save_main(int argc, char *argv[])
case 'M':
xtables_modprobe_program = optarg;
break;
+ case 'C':
+ chainname = optarg;
+ break;
case 'd':
do_output(tablename);
exit(0);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
2013-02-26 11:33 [PATCH] iptables-save: add --chain argument, limits output to a chain jonh.wendell
@ 2013-02-26 14:48 ` Jan Engelhardt
2013-02-26 15:02 ` Jonh Wendell
[not found] ` <CABXqP=jq3rEE6b1xpgA0QtuwAQ04U5b3voMdTsuGmLB-qrsDxg@mail.gmail.com>
0 siblings, 2 replies; 7+ messages in thread
From: Jan Engelhardt @ 2013-02-26 14:48 UTC (permalink / raw)
To: jonh.wendell; +Cc: netfilter-devel, Jonh Wendell
On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
>
>Similar to the --table argument, if a --chain (or -C) argument
>is passed, we limit the output to rules of that chain.
But we have `iptables -S chain` for that, don't we.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
2013-02-26 14:48 ` Jan Engelhardt
@ 2013-02-26 15:02 ` Jonh Wendell
[not found] ` <CABXqP=jq3rEE6b1xpgA0QtuwAQ04U5b3voMdTsuGmLB-qrsDxg@mail.gmail.com>
1 sibling, 0 replies; 7+ messages in thread
From: Jonh Wendell @ 2013-02-26 15:02 UTC (permalink / raw)
To: netfilter-devel
2013/2/26 Jan Engelhardt <jengelh@inai.de>
>
> On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>
> >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
> >
> >Similar to the --table argument, if a --chain (or -C) argument
> >is passed, we limit the output to rules of that chain.
>
> But we have `iptables -S chain` for that, don't we.
I'm afraid its output is not suitable for iptables-restore.
--
Jonh Wendell
http://www.bani.com.br
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
[not found] ` <CABXqP=jq3rEE6b1xpgA0QtuwAQ04U5b3voMdTsuGmLB-qrsDxg@mail.gmail.com>
@ 2013-02-26 15:40 ` Jan Engelhardt
2013-02-26 16:18 ` Jonh Wendell
0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2013-02-26 15:40 UTC (permalink / raw)
To: Jonh Wendell; +Cc: netfilter-devel
On Tuesday 2013-02-26 15:57, Jonh Wendell wrote:
>2013/2/26 Jan Engelhardt <jengelh@inai.de>
> On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>
> >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
> >
> >Similar to the --table argument, if a --chain (or -C) argument
> >is passed, we limit the output to rules of that chain.
>
>But we have `iptables -S chain` for that, don't we.
>
>
>I'm afraid its output is not suitable for iptables-restore.
I thought you just wanted to have a single chain shown, for the
purposes of debugging (because nobody can frankly read -L's output).
If however you want to feed it to replace, can you elaborate on your
use case? I would be interested in that.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
2013-02-26 15:40 ` Jan Engelhardt
@ 2013-02-26 16:18 ` Jonh Wendell
2013-02-26 22:18 ` Jan Engelhardt
0 siblings, 1 reply; 7+ messages in thread
From: Jonh Wendell @ 2013-02-26 16:18 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
2013/2/26 Jan Engelhardt <jengelh@inai.de>:
>
> On Tuesday 2013-02-26 15:57, Jonh Wendell wrote:
>>2013/2/26 Jan Engelhardt <jengelh@inai.de>
>> On Tuesday 2013-02-26 12:33, jonh.wendell@gmail.com wrote:
>>
>> >From: Jonh Wendell <jonh.wendell@oiwifi.com.br>
>> >
>> >Similar to the --table argument, if a --chain (or -C) argument
>> >is passed, we limit the output to rules of that chain.
>>
>>But we have `iptables -S chain` for that, don't we.
>>
>>
>>I'm afraid its output is not suitable for iptables-restore.
>
> I thought you just wanted to have a single chain shown, for the
> purposes of debugging (because nobody can frankly read -L's output).
> If however you want to feed it to replace, can you elaborate on your
> use case? I would be interested in that.
Hi!
My particular use case is: I want to flush all iptables rules except
those ones from a specific chain.
So, I save them with iptables-save -C <chain-name>, flush, and then
run iptables-restore on them.
I could do it without that -C flag, but I'd have to parse its output
to get only the chain I'm interested in.
In other words, my use case could be reached with something like
'iptables -F ! <chain-name>'.
All in all, I think it's a good addition to iptables-save, it can be
useful in other scenarios.
Thanks,
--
Jonh Wendell
http://www.bani.com.br
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
2013-02-26 16:18 ` Jonh Wendell
@ 2013-02-26 22:18 ` Jan Engelhardt
2013-02-26 23:30 ` Jonh Wendell
0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2013-02-26 22:18 UTC (permalink / raw)
To: Jonh Wendell; +Cc: netfilter-devel
On Tuesday 2013-02-26 17:18, Jonh Wendell wrote:
>
>My particular use case is: I want to flush all iptables rules except
>those ones from a specific chain.
>So, I save them with iptables-save -C <chain-name>, flush, and then
>run iptables-restore on them.
But if chain-name is not a base chain, then you wipe out the
main rules for all practical purposes.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] iptables-save: add --chain argument, limits output to a chain
2013-02-26 22:18 ` Jan Engelhardt
@ 2013-02-26 23:30 ` Jonh Wendell
0 siblings, 0 replies; 7+ messages in thread
From: Jonh Wendell @ 2013-02-26 23:30 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
2013/2/26 Jan Engelhardt <jengelh@inai.de>:
>
> On Tuesday 2013-02-26 17:18, Jonh Wendell wrote:
>>
>>My particular use case is: I want to flush all iptables rules except
>>those ones from a specific chain.
>>So, I save them with iptables-save -C <chain-name>, flush, and then
>>run iptables-restore on them.
>
> But if chain-name is not a base chain, then you wipe out the
> main rules for all practical purposes.
actually, after flush all rules, I load a preset set of rules and only
then I run iptables-restore.
--
Jonh Wendell
http://www.bani.com.br
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-02-26 23:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-02-26 11:33 [PATCH] iptables-save: add --chain argument, limits output to a chain jonh.wendell
2013-02-26 14:48 ` Jan Engelhardt
2013-02-26 15:02 ` Jonh Wendell
[not found] ` <CABXqP=jq3rEE6b1xpgA0QtuwAQ04U5b3voMdTsuGmLB-qrsDxg@mail.gmail.com>
2013-02-26 15:40 ` Jan Engelhardt
2013-02-26 16:18 ` Jonh Wendell
2013-02-26 22:18 ` Jan Engelhardt
2013-02-26 23:30 ` Jonh Wendell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.