Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [iptables PATCH 1/7] iptables: install iptables-apply script and manpage
@ 2019-12-04 18:17 Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 2/7] iptables: cleanup "allows to" usage Arturo Borrero Gonzalez
                   ` (6 more replies)
  0 siblings, 7 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:17 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

We have the iptables-apply script in the tree (and in the release tarball), but
is not being installed anywhere. Same for the manpage.

Arturo says:
 I'm not a strong supporter of this script, but there are many users of it, so
 better do things right and do a proper installation.
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 iptables/Makefile.am       |    7 ++++++-
 iptables/ip6tables-apply.8 |    1 +
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 iptables/ip6tables-apply.8

diff --git a/iptables/Makefile.am b/iptables/Makefile.am
index fc834e0f..71b1b1d4 100644
--- a/iptables/Makefile.am
+++ b/iptables/Makefile.am
@@ -53,7 +53,11 @@ sbin_PROGRAMS	+= xtables-nft-multi
 endif
 man_MANS         = iptables.8 iptables-restore.8 iptables-save.8 \
                    iptables-xml.1 ip6tables.8 ip6tables-restore.8 \
-                   ip6tables-save.8 iptables-extensions.8
+                   ip6tables-save.8 iptables-extensions.8 \
+                   iptables-apply.8 ip6tables-apply.8
+
+sbin_SCRIPT      = iptables-apply
+
 if ENABLE_NFTABLES
 man_MANS	+= xtables-nft.8 xtables-translate.8 xtables-legacy.8 \
                    iptables-translate.8 ip6tables-translate.8 \
@@ -106,3 +110,4 @@ install-exec-hook:
 	for i in ${v4_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
 	for i in ${v6_sbin_links}; do ${LN_S} -f xtables-legacy-multi "${DESTDIR}${sbindir}/$$i"; done;
 	for i in ${x_sbin_links}; do ${LN_S} -f xtables-nft-multi "${DESTDIR}${sbindir}/$$i"; done;
+	${LN_S} -f iptables-apply "${DESTDIR}${sbindir}/ip6tables-apply"
diff --git a/iptables/ip6tables-apply.8 b/iptables/ip6tables-apply.8
new file mode 100644
index 00000000..994b487a
--- /dev/null
+++ b/iptables/ip6tables-apply.8
@@ -0,0 +1 @@
+.so man8/iptables-apply.8


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 2/7] iptables: cleanup "allows to" usage
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 3/7] extensions: manpages: cleanup hyphens Arturo Borrero Gonzalez
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

Gramatical cleanup.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 extensions/libipt_ECN.man     |    2 +-
 extensions/libxt_AUDIT.man    |    2 +-
 extensions/libxt_CHECKSUM.man |    2 +-
 extensions/libxt_CT.man       |    2 +-
 extensions/libxt_DSCP.man     |    2 +-
 extensions/libxt_TCPMSS.man   |    2 +-
 extensions/libxt_osf.c        |    2 +-
 iptables/iptables.8.in        |    4 ++--
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/extensions/libipt_ECN.man b/extensions/libipt_ECN.man
index a9cbe109..8ae7996e 100644
--- a/extensions/libipt_ECN.man
+++ b/extensions/libipt_ECN.man
@@ -1,4 +1,4 @@
-This target allows to selectively work around known ECN blackholes.
+This target selectively works around known ECN blackholes.
 It can only be used in the mangle table.
 .TP
 \fB\-\-ecn\-tcp\-remove\fP
diff --git a/extensions/libxt_AUDIT.man b/extensions/libxt_AUDIT.man
index 4f5562e8..57cce8c4 100644
--- a/extensions/libxt_AUDIT.man
+++ b/extensions/libxt_AUDIT.man
@@ -1,4 +1,4 @@
-This target allows to create audit records for packets hitting the target.
+This target allows creates audit records for packets hitting the target.
 It can be used to record accepted, dropped, and rejected packets. See
 auditd(8) for additional details.
 .TP
diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man
index 92ae700f..726f4ea6 100644
--- a/extensions/libxt_CHECKSUM.man
+++ b/extensions/libxt_CHECKSUM.man
@@ -1,4 +1,4 @@
-This target allows to selectively work around broken/old applications.
+This target selectively works around broken/old applications.
 It can only be used in the mangle table.
 .TP
 \fB\-\-checksum\-fill\fP
diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man
index e992120a..fc692f9a 100644
--- a/extensions/libxt_CT.man
+++ b/extensions/libxt_CT.man
@@ -1,4 +1,4 @@
-The CT target allows to set parameters for a packet or its associated
+The CT target sets parameters for a packet or its associated
 connection. The target attaches a "template" connection tracking entry to
 the packet, which is then used by the conntrack core when initializing
 a new ct entry. This target is thus only valid in the "raw" table.
diff --git a/extensions/libxt_DSCP.man b/extensions/libxt_DSCP.man
index 551ba2e1..5385c97a 100644
--- a/extensions/libxt_DSCP.man
+++ b/extensions/libxt_DSCP.man
@@ -1,4 +1,4 @@
-This target allows to alter the value of the DSCP bits within the TOS
+This target alters the value of the DSCP bits within the TOS
 header of the IPv4 packet.  As this manipulates a packet, it can only
 be used in the mangle table.
 .TP
diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man
index 8da8e761..25b480dd 100644
--- a/extensions/libxt_TCPMSS.man
+++ b/extensions/libxt_TCPMSS.man
@@ -1,4 +1,4 @@
-This target allows to alter the MSS value of TCP SYN packets, to control
+This target alters the MSS value of TCP SYN packets, to control
 the maximum size for that connection (usually limiting it to your
 outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
 Of course, it can only be used
diff --git a/extensions/libxt_osf.c b/extensions/libxt_osf.c
index 496b4805..c567d9e0 100644
--- a/extensions/libxt_osf.c
+++ b/extensions/libxt_osf.c
@@ -40,7 +40,7 @@ static void osf_help(void)
 		"--ttl level            Use some TTL check extensions to determine OS:\n"
 		"       0                       true ip and fingerprint TTL comparison. Works for LAN.\n"
 		"       1                       check if ip TTL is less than fingerprint one. Works for global addresses.\n"
-		"       2                       do not compare TTL at all. Allows to detect NMAP, but can produce false results.\n"
+		"       2                       do not compare TTL at all. This allows NMAP detection, but can produce false results.\n"
 		"--log level            Log determined genres into dmesg even if they do not match desired one:\n"
 		"       0                       log all matched or unknown signatures.\n"
 		"       1                       log only first one.\n"
diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in
index 78df8f08..054564b3 100644
--- a/iptables/iptables.8.in
+++ b/iptables/iptables.8.in
@@ -245,13 +245,13 @@ add, delete, insert, replace and append commands).
 This option has no effect in iptables and iptables-restore.
 If a rule using the \fB\-4\fP option is inserted with (and only with)
 ip6tables-restore, it will be silently ignored. Any other uses will throw an
-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+error. This option allows IPv4 and IPv6 rules in a single rule file
 for use with both iptables-restore and ip6tables-restore.
 .TP
 \fB\-6\fP, \fB\-\-ipv6\fP
 If a rule using the \fB\-6\fP option is inserted with (and only with)
 iptables-restore, it will be silently ignored. Any other uses will throw an
-error. This option allows to put both IPv4 and IPv6 rules in a single rule file
+error. This option allows IPv4 and IPv6 rules in a single rule file
 for use with both iptables-restore and ip6tables-restore.
 This option has no effect in ip6tables and ip6tables-restore.
 .TP


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 3/7] extensions: manpages: cleanup hyphens
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 2/7] iptables: cleanup "allows to" usage Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 4/7] libipq: fix spelling in manpage Arturo Borrero Gonzalez
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

Cleanup, scape hyphens so they are not interpreted by the manpage generator.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 extensions/libip6t_DNPT.man  |    2 +-
 extensions/libip6t_SNPT.man  |    2 +-
 extensions/libxt_HMARK.man   |    2 +-
 extensions/libxt_SET.man     |    2 +-
 extensions/libxt_TOS.man     |    2 +-
 extensions/libxt_bpf.man     |    2 +-
 extensions/libxt_cluster.man |    2 +-
 extensions/libxt_osf.man     |    4 ++--
 extensions/libxt_set.man     |    2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
index 61beeee8..9b060f5b 100644
--- a/extensions/libip6t_DNPT.man
+++ b/extensions/libip6t_DNPT.man
@@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
 .PP
 You may need to enable IPv6 neighbor proxy:
 .IP
-sysctl -w net.ipv6.conf.all.proxy_ndp=1
+sysctl \-w net.ipv6.conf.all.proxy_ndp=1
 .PP
 You also have to use the
 .B NOTRACK
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
index 78d644a7..97e0071b 100644
--- a/extensions/libip6t_SNPT.man
+++ b/extensions/libip6t_SNPT.man
@@ -23,7 +23,7 @@ ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
 .PP
 You may need to enable IPv6 neighbor proxy:
 .IP
-sysctl -w net.ipv6.conf.all.proxy_ndp=1
+sysctl \-w net.ipv6.conf.all.proxy_ndp=1
 .PP
 You also have to use the
 .B NOTRACK
diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man
index e7b5426d..cd7ffd54 100644
--- a/extensions/libxt_HMARK.man
+++ b/extensions/libxt_HMARK.man
@@ -56,5 +56,5 @@ iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
  \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
 .PP
-iptables \-t mangle \-A PREROUTING -j HMARK \-\-hmark\-offset 10000
+iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000
 \-\-hmark-tuple src,dst,proto \-\-hmark-mod 10 \-\-hmark\-rnd 0xdeafbeef
diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
index 78a9ae0f..c4713378 100644
--- a/extensions/libxt_SET.man
+++ b/extensions/libxt_SET.man
@@ -42,5 +42,5 @@ and
 \fB\-\-map\-queue\fP
 flags can be used in the OUTPUT, FORWARD and POSTROUTING chains.
 .PP
-Use of -j SET requires that ipset kernel support is provided, which, for
+Use of \-j SET requires that ipset kernel support is provided, which, for
 standard kernels, is the case since Linux 2.6.39.
diff --git a/extensions/libxt_TOS.man b/extensions/libxt_TOS.man
index 58118ec2..de2d22dc 100644
--- a/extensions/libxt_TOS.man
+++ b/extensions/libxt_TOS.man
@@ -32,5 +32,5 @@ longterm releases 2.6.32 (>=.42), 2.6.33 (>=.15), and 2.6.35 (>=.14), there is
 a bug whereby IPv6 TOS mangling does not behave as documented and differs from
 the IPv4 version. The TOS mask indicates the bits one wants to zero out, so it
 needs to be inverted before applying it to the original TOS field. However, the
-aformentioned kernels forgo the inversion which breaks --set-tos and its
+aformentioned kernels forgo the inversion which breaks \-\-set\-tos and its
 mnemonics.
diff --git a/extensions/libxt_bpf.man b/extensions/libxt_bpf.man
index 1d2aa9e6..d6da2043 100644
--- a/extensions/libxt_bpf.man
+++ b/extensions/libxt_bpf.man
@@ -17,7 +17,7 @@ iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j AC
 \fB\-\-bytecode\fP \fIcode\fP
 Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
 .PP
-The code format is similar to the output of the tcpdump -ddd command: one line
+The code format is similar to the output of the tcpdump \-ddd command: one line
 that stores the number of instructions, followed by one line for each
 instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
 notation. Fields encode the operation, jump offset if true, jump offset if
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
index 94b4b205..23448e26 100644
--- a/extensions/libxt_cluster.man
+++ b/extensions/libxt_cluster.man
@@ -27,7 +27,7 @@ iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
 iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
 \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
 \-\-cluster\-hash\-seed 0xdeadbeef
-\-j MARK -\-set\-mark 0xffff
+\-j MARK \-\-set\-mark 0xffff
 .IP
 iptables \-A PREROUTING \-t mangle \-i eth1
 \-m mark ! \-\-mark 0xffff \-j DROP
diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man
index 5ba92ce0..ecb6ee5f 100644
--- a/extensions/libxt_osf.man
+++ b/extensions/libxt_osf.man
@@ -35,11 +35,11 @@ Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
 OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
 fingerprints from a file, use:
 .PP
-\fBnfnl_osf -f /usr/share/xtables/pf.os\fP
+\fBnfnl_osf \-f /usr/share/xtables/pf.os\fP
 .PP
 To remove them again,
 .PP
-\fBnfnl_osf -f /usr/share/xtables/pf.os -d\fP
+\fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP
 .PP
 The fingerprint database can be downloaded from
 http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
diff --git a/extensions/libxt_set.man b/extensions/libxt_set.man
index dbc1586b..5c6f64e3 100644
--- a/extensions/libxt_set.man
+++ b/extensions/libxt_set.man
@@ -61,5 +61,5 @@ when the set was defined without counter support.
 The option \fB\-\-match\-set\fP can be replaced by \fB\-\-set\fP if that does 
 not clash with an option of other extensions.
 .PP
-Use of -m set requires that ipset kernel support is provided, which, for
+Use of \-m set requires that ipset kernel support is provided, which, for
 standard kernels, is the case since Linux 2.6.39.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 4/7] libipq: fix spelling in manpage
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 2/7] iptables: cleanup "allows to" usage Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 3/7] extensions: manpages: cleanup hyphens Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 5/7] iptables: mention iptables-apply(8) in manpages Arturo Borrero Gonzalez
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

Fix spelling in this sentence.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 libipq/ipq_set_verdict.3 |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libipq/ipq_set_verdict.3 b/libipq/ipq_set_verdict.3
index 7771ed6a..a6172b30 100644
--- a/libipq/ipq_set_verdict.3
+++ b/libipq/ipq_set_verdict.3
@@ -30,7 +30,7 @@ The
 .B ipq_set_verdict
 function issues a verdict on a packet previously obtained with
 .BR ipq_read ,
-specifing the intended disposition of the packet, and optionally
+specifying the intended disposition of the packet, and optionally
 supplying a modified version of the payload data.
 .PP
 The


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 5/7] iptables: mention iptables-apply(8) in manpages
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
                   ` (2 preceding siblings ...)
  2019-12-04 18:18 ` [iptables PATCH 4/7] libipq: fix spelling in manpage Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 6/7] extensions: libxt_sctp: add manpage description Arturo Borrero Gonzalez
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

Add iptables-apply(8) to the SEE ALSO section of *-save(8) and *-restore(8).

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 iptables/iptables-restore.8.in |    2 +-
 iptables/iptables-save.8.in    |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index f751492d..b4b62f92 100644
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -87,7 +87,7 @@ from Rusty Russell.
 .br
 Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-restore.
 .SH SEE ALSO
-\fBiptables\-save\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8),\fBiptables\-save\fP(8), \fBiptables\fP(8)
 .PP
 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
 which details NAT, and the netfilter-hacking-HOWTO which details the
diff --git a/iptables/iptables-save.8.in b/iptables/iptables-save.8.in
index 29ef2829..7683fd37 100644
--- a/iptables/iptables-save.8.in
+++ b/iptables/iptables-save.8.in
@@ -62,7 +62,7 @@ Rusty Russell <rusty@rustcorp.com.au>
 .br
 Andras Kis-Szabo <kisza@sch.bme.hu> contributed ip6tables-save.
 .SH SEE ALSO
-\fBiptables\-restore\fP(8), \fBiptables\fP(8)
+\fBiptables\-apply\fP(8),\fBiptables\-restore\fP(8), \fBiptables\fP(8)
 .PP
 The iptables-HOWTO, which details more iptables usage, the NAT-HOWTO,
 which details NAT, and the netfilter-hacking-HOWTO which details the


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 6/7] extensions: libxt_sctp: add manpage description
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
                   ` (3 preceding siblings ...)
  2019-12-04 18:18 ` [iptables PATCH 5/7] iptables: mention iptables-apply(8) in manpages Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 18:18 ` [iptables PATCH 7/7] iptables-apply: script and manpage update Arturo Borrero Gonzalez
  2019-12-04 19:05 ` [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Florian Westphal
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: Laurence J. Lane <ljlane@debian.org>

Add manpage description.

Arturo says:
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 extensions/libxt_sctp.man |    1 +
 1 file changed, 1 insertion(+)

diff --git a/extensions/libxt_sctp.man b/extensions/libxt_sctp.man
index 9c0bd8c3..3779d05a 100644
--- a/extensions/libxt_sctp.man
+++ b/extensions/libxt_sctp.man
@@ -1,3 +1,4 @@
+This module matches Stream Control Transmission Protocol headers.
 .TP
 [\fB!\fP] \fB\-\-source\-port\fP,\fB\-\-sport\fP \fIport\fP[\fB:\fP\fIport\fP]
 .TP


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [iptables PATCH 7/7] iptables-apply: script and manpage update
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
                   ` (4 preceding siblings ...)
  2019-12-04 18:18 ` [iptables PATCH 6/7] extensions: libxt_sctp: add manpage description Arturo Borrero Gonzalez
@ 2019-12-04 18:18 ` Arturo Borrero Gonzalez
  2019-12-04 19:05 ` [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Florian Westphal
  6 siblings, 0 replies; 9+ messages in thread
From: Arturo Borrero Gonzalez @ 2019-12-04 18:18 UTC (permalink / raw)
  To: netfilter-devel

From: GW <gw.2010@tnode.com>

This is GW's update to iptables-apply. It does a code cleanup and adds two
options: one runs a command and the other writes the sucessful rules file.

I modified the script to use mktemp instead of tempfile. I also fixed a couple
of hyphens in the man page addition.

Arturo says:
 I'm not a strong supporter of this script, but there are many users of it, so
 better do things right and add this patch that should produce no harm anyway.
 This patch is forwarded from the iptables Debian package, where it has been
 around for many years now.

Signed-off-by: GW <gw.2010@tnode.com>
Signed-off-by: Laurence J. Lane <ljlane@debian.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 iptables/iptables-apply      |  302 +++++++++++++++++++++++++++++-------------
 iptables/iptables-apply.8.in |   46 ++++--
 2 files changed, 242 insertions(+), 106 deletions(-)

diff --git a/iptables/iptables-apply b/iptables/iptables-apply
index 819ca4a4..4683b1b4 100755
--- a/iptables/iptables-apply
+++ b/iptables/iptables-apply
@@ -1,174 +1,294 @@
 #!/bin/bash
-#
 # iptables-apply -- a safer way to update iptables remotely
 #
-# Copyright © Martin F. Krafft <madduck@madduck.net>
+# Usage:
+#   iptables-apply [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
+#
+# Versions:
+#   * 1.0 Copyright 2006 Martin F. Krafft <madduck@madduck.net>
+#         Original version
+#   * 1.1 Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>
+#         Added parameter -c (run command)
+#         Added parameter -w (save successfully applied rules to file)
+#         Major code cleanup
+#
 # Released under the terms of the Artistic Licence 2.0
 #
 set -eu
 
-PROGNAME="${0##*/}";
-VERSION=1.0
+PROGNAME="${0##*/}"
+VERSION=1.1
+
+
+### Default settings
+
+DEF_TIMEOUT=10
+
+MODE=0  # apply rulesfile mode
+# MODE=1  # run command mode
+
+case "$PROGNAME" in
+	(*6*)
+		SAVE=ip6tables-save
+		RESTORE=ip6tables-restore
+		DEF_RULESFILE="/etc/network/ip6tables.up.rules"
+		DEF_SAVEFILE="$DEF_RULESFILE"
+		DEF_RUNCMD="/etc/network/ip6tables.up.run"
+		;;
+	(*)
+		SAVE=iptables-save
+		RESTORE=iptables-restore
+		DEF_RULESFILE="/etc/network/iptables.up.rules"
+		DEF_SAVEFILE="$DEF_RULESFILE"
+		DEF_RUNCMD="/etc/network/iptables.up.run"
+		;;
+esac
+
 
-TIMEOUT=10
+### Functions
 
-function blurb()
-{
-	cat <<-_eof
+function blurb() {
+	cat <<-__EOF__
 	$PROGNAME $VERSION -- a safer way to update iptables remotely
-	_eof
+	__EOF__
 }
 
-function copyright()
-{
-	cat <<-_eof
-	$PROGNAME is C Martin F. Krafft <madduck@madduck.net>.
+function copyright() {
+	cat <<-__EOF__
+	$PROGNAME has been published under the terms of the Artistic Licence 2.0.
 
-	The program has been published under the terms of the Artistic Licence 2.0
-	_eof
+	Original version - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
+	Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
+	__EOF__
 }
 
-function about()
-{
+function about() {
 	blurb
 	echo
 	copyright
 }
 
-function usage()
-{
-	cat <<-_eof
-	Usage: $PROGNAME [options] ruleset
+function usage() {
+	blurb
+	echo
+	cat <<-__EOF__
+	Usage:
+	  $PROGNAME [-hV] [-t timeout] [-w savefile] {[rulesfile]|-c [runcmd]}
+
+	The script will try to apply a new rulesfile (as output by iptables-save,
+	read by iptables-restore) or run a command to configure iptables and then
+	prompt the user whether the changes are okay. If the new iptables rules cut
+	the existing connection, the user will not be able to answer affirmatively.
+	In this case, the script rolls back to the previous working iptables rules
+	after the timeout expires.
+
+	Successfully applied rules can also be written to savefile and later used
+	to roll back to this state. This can be used to implement a store last good
+	configuration mechanism when experimenting with an iptables setup script:
+	  $PROGNAME -w $DEF_SAVEFILE -c $DEF_RUNCMD
 
-	The script will try to apply a new ruleset (as output by iptables-save/read
-	by iptables-restore) to iptables, then prompt the user whether the changes
-	are okay. If the new ruleset cut the existing connection, the user will not
-	be able to answer affirmatively. In this case, the script rolls back to the
-	previous ruleset.
+	When called as ip6tables-apply, the script will use ip6tables-save/-restore
+	and IPv6 default values instead. Default value for rulesfile is
+	'$DEF_RULESFILE'.
+
+	Options:
+
+	-t seconds, --timeout seconds
+	  Specify the timeout in seconds (default: $DEF_TIMEOUT).
+	-w savefile, --write savefile
+	  Specify the savefile where successfully applied rules will be written to
+	  (default if empty string is given: $DEF_SAVEFILE).
+	-c runcmd, --command runcmd
+	  Run command runcmd to configure iptables instead of applying a rulesfile
+	  (default: $DEF_RUNCMD).
+	-h, --help
+	  Display this help text.
+	-V, --version
+	  Display version information.
+
+	__EOF__
+}
 
-	The following options may be specified, using standard conventions:
+function checkcommands() {
+	for cmd in "${COMMANDS[@]}"; do
+		if ! command -v "$cmd" >/dev/null; then
+			echo "Error: needed command not found: $cmd" >&2
+			exit 127
+		fi
+	done
+}
 
-	-t | --timeout	Specify the timeout in seconds (default: $TIMEOUT)
-	-V | --version	Display version information
-	-h | --help	Display this help text
-	_eof
+function revertrules() {
+	echo -n "Reverting to old iptables rules... "
+	"$RESTORE" <"$TMPFILE"
+	echo "done."
 }
 
-SHORTOPTS="t:Vh";
-LONGOPTS="timeout:,version,help";
+
+### Parsing and checking parameters
+
+TIMEOUT="$DEF_TIMEOUT"
+SAVEFILE=""
+
+SHORTOPTS="t:w:chV";
+LONGOPTS="timeout:,write:,command,help,version";
 
 OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $?
 for opt in $OPTS; do
 	case "$opt" in
-		(-*) unset OPT_STATE;;
+		(-*)
+			unset OPT_STATE
+			;;
 		(*)
 			case "${OPT_STATE:-}" in
-				(SET_TIMEOUT)
-					eval TIMEOUT=$opt
-					case "$TIMEOUT" in
-						([0-9]*) :;;
-						(*)
-							echo "E: non-numeric timeout value." >&2
-							exit 1
-							;;
-					esac
+				(SET_TIMEOUT) eval TIMEOUT=$opt;;
+				(SET_SAVEFILE)
+					eval SAVEFILE=$opt
+					[ -z "$SAVEFILE" ] && SAVEFILE="$DEF_SAVEFILE"
 					;;
 			esac
 			;;
 	esac
 
 	case "$opt" in
+		(-t|--timeout) OPT_STATE="SET_TIMEOUT";;
+		(-w|--write) OPT_STATE="SET_SAVEFILE";;
+		(-c|--command) MODE=1;;
 		(-h|--help) usage >&2; exit 0;;
 		(-V|--version) about >&2; exit 0;;
-		(-t|--timeout) OPT_STATE=SET_TIMEOUT;;
 		(--) break;;
 	esac
 	shift
 done
 
-case "$PROGNAME" in
-	(*6*)
-		SAVE=ip6tables-save
-		RESTORE=ip6tables-restore
-		DEFAULT_FILE=/etc/network/ip6tables
-		;;
-	(*)
-		SAVE=iptables-save
-		RESTORE=iptables-restore
-		DEFAULT_FILE=/etc/network/iptables
-		;;
-esac
-
-FILE="${1:-$DEFAULT_FILE}";
-
-if [[ -z "$FILE" ]]; then
-	echo "E: missing file argument." >&2
+# Validate parameters
+if [ "$TIMEOUT" -ge 0 ] 2>/dev/null; then
+	TIMEOUT=$(($TIMEOUT))
+else
+	echo "Error: timeout must be a positive number" >&2
 	exit 1
 fi
 
-if [[ ! -r "$FILE" ]]; then
-	echo "E: cannot read $FILE" >&2
-	exit 2
+if [ -n "$SAVEFILE" -a -e "$SAVEFILE" -a ! -w "$SAVEFILE" ]; then
+	echo "Error: savefile not writable: $SAVEFILE" >&2
+	exit 8
 fi
 
-COMMANDS=(tempfile "$SAVE" "$RESTORE")
+case "$MODE" in
+	(1)
+		# Treat parameter as runcmd (run command mode)
+		RUNCMD="${1:-$DEF_RUNCMD}"
+		if [ ! -x "$RUNCMD" ]; then
+			echo "Error: runcmd not executable: $RUNCMD" >&2
+			exit 6
+		fi
+
+		# Needed commands
+		COMMANDS=(mktemp "$SAVE" "$RESTORE" "$RUNCMD")
+		checkcommands
+		;;
+	(*)
+		# Treat parameter as rulesfile (apply rulesfile mode)
+		RULESFILE="${1:-$DEF_RULESFILE}";
+		if [ ! -r "$RULESFILE" ]; then
+			echo "Error: rulesfile not readable: $RULESFILE" >&2
+			exit 2
+		fi
+
+		# Needed commands
+		COMMANDS=(mktemp "$SAVE" "$RESTORE")
+		checkcommands
+		;;
+esac
 
-for cmd in "${COMMANDS[@]}"; do
-	if ! command -v $cmd >/dev/null; then
-		echo "E: command not found: $cmd" >&2
-		exit 127
-	fi
-done
 
-umask 0700
+### Begin work
 
-TMPFILE=$(tempfile -p iptap)
+# Store old iptables rules to temporary file
+TMPFILE=`mktemp /tmp/$PROGNAME-XXXXXXXX`
 trap "rm -f $TMPFILE" EXIT HUP INT QUIT ILL TRAP ABRT BUS \
 		      FPE USR1 SEGV USR2 PIPE ALRM TERM
 
 if ! "$SAVE" >"$TMPFILE"; then
+	# An error occured
 	if ! grep -q ipt /proc/modules 2>/dev/null; then
-		echo "E: iptables support lacking from the kernel." >&2
+		echo "Error: iptables support lacking from the kernel" >&2
 		exit 3
 	else
-		echo "E: unknown error saving current iptables ruleset." >&2
+		echo "Error: unknown error saving old iptables rules: $TMPFILE" >&2
 		exit 4
 	fi
 fi
 
+# Legacy to stop the fail2ban daemon if present
 [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop
 
-echo -n "Applying new ruleset... "
-if ! "$RESTORE" <"$FILE"; then
-	echo "failed."
-	echo "E: unknown error applying new iptables ruleset." >&2
-	exit 5
-else
-	echo "done."
-fi
+# Configure iptables
+case "$MODE" in
+	(1)
+		# Run command in background and kill it if it times out
+		echo -n "Running command '$RUNCMD'... "
+		"$RUNCMD" &
+		CMD_PID=$!
+		( sleep "$TIMEOUT"; kill "$CMD_PID" 2>/dev/null; exit 0 ) &
+		CMDTIMEOUT_PID=$!
+		if ! wait "$CMD_PID"; then
+			echo "failed."
+			echo "Error: unknown error running command: $RUNCMD" >&2
+			revertrules
+			exit 7
+		else
+			echo "done."
+		fi
+		;;
+	(*)
+		# Apply iptables rulesfile
+		echo -n "Applying new iptables rules from '$RULESFILE'... "
+		if ! "$RESTORE" <"$RULESFILE"; then
+			echo "failed."
+			echo "Error: unknown error applying new iptables rules: $RULESFILE" >&2
+			revertrules
+			exit 5
+		else
+			echo "done."
+		fi
+		;;
+esac
 
+# Prompt user for confirmation
 echo -n "Can you establish NEW connections to the machine? (y/N) "
 
-read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || :
+read -n1 -t "$TIMEOUT" ret 2>&1 || :
 case "${ret:-}" in
 	(y*|Y*)
+		# Success
 		echo
+
+		if [ ! -z "$SAVEFILE" ]; then
+			# Write successfully applied rules to the savefile
+			echo "Writing successfully applied rules to '$SAVEFILE'..."
+			if ! "$SAVE" >"$SAVEFILE"; then
+				echo "Error: unknown error writing successfully applied rules: $SAVEFILE" >&2
+				exit 9
+			fi
+		fi
+
 		echo "... then my job is done. See you next time."
 		;;
 	(*)
-		if [[ -z "${ret:-}" ]]; then
-			echo "apparently not..."
+		# Failed
+		echo
+		if [ -z "${ret:-}" ]; then
+			echo "Timeout! Something happened (or did not). Better play it safe..."
 		else
-			echo
+			echo "No affirmative response! Better play it safe..."
 		fi
-		echo "Timeout. Something happened (or did not). Better play it safe..."
-		echo -n "Reverting to old ruleset... "
-		"$RESTORE" <"$TMPFILE";
-		echo "done."
+		revertrules
 		exit 255
 		;;
 esac
 
+# Legacy to start the fail2ban daemon again
 [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start
 
 exit 0
diff --git a/iptables/iptables-apply.8.in b/iptables/iptables-apply.8.in
index cdc9c447..f0ed4e5f 100644
--- a/iptables/iptables-apply.8.in
+++ b/iptables/iptables-apply.8.in
@@ -1,6 +1,6 @@
 .\"     Title: iptables-apply
-.\"    Author: Martin F. Krafft
-.\"      Date: Jun 04, 2006
+.\"    Author: Martin F. Krafft, GW
+.\"      Date: May 10, 2010
 .\"
 .TH IPTABLES\-APPLY 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
 .\" disable hyphenation
@@ -8,23 +8,37 @@
 .SH NAME
 iptables-apply \- a safer way to update iptables remotely
 .SH SYNOPSIS
-\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] \fIruleset\-file\fP
+\fBiptables\-apply\fP [\-\fBhV\fP] [\fB-t\fP \fItimeout\fP] [\fB-w\fP \fIsavefile\fP] {[\fIrulesfile]|-c [runcmd]}\fP
 .SH "DESCRIPTION"
 .PP
-iptables\-apply will try to apply a new ruleset (as output by
-iptables\-save/read by iptables\-restore) to iptables, then prompt the
-user whether the changes are okay. If the new ruleset cut the existing
-connection, the user will not be able to answer affirmatively. In this
-case, the script rolls back to the previous ruleset after the timeout
-expired. The timeout can be set with \fB\-t\fP.
+iptables\-apply will try to apply a new rulesfile (as output by
+iptables-save, read by iptables-restore) or run a command to configure
+iptables and then prompt the user whether the changes are okay. If the
+new iptables rules cut the existing connection, the user will not be
+able to answer affirmatively. In this case, the script rolls back to
+the previous working iptables rules after the timeout expires.
 .PP
-When called as \fBip6tables\-apply\fP, the script will use
-ip6tables\-save/\-restore instead.
+Successfully applied rules can also be written to savefile and later used
+to roll back to this state. This can be used to implement a store last good
+configuration mechanism when experimenting with an iptables setup script:
+iptables-apply \-w /etc/network/iptables.up.rules \-c /etc/network/iptables.up.run
+.PP
+When called as ip6tables\-apply, the script will use
+ip6tables\-save/\-restore and IPv6 default values instead. Default
+value for rulesfile is '/etc/network/iptables.up.rules'.
 .SH OPTIONS
 .TP
 \fB\-t\fP \fIseconds\fR, \fB\-\-timeout\fP \fIseconds\fR
-Sets the timeout after which the script will roll back to the previous
-ruleset.
+Sets the timeout in seconds after which the script will roll back
+to the previous ruleset (default: 10).
+.TP
+\fB\-w\fP \fIsavefile\fR, \fB\-\-write\fP \fIsavefile\fR
+Specify the savefile where successfully applied rules will be written to
+(default if empty string is given: /etc/network/iptables.up.rules).
+.TP
+\fB\-c\fP \fIruncmd\fR, \fB\-\-command\fP \fIruncmd\fR
+Run command runcmd to configure iptables instead of applying a rulesfile
+(default: /etc/network/iptables.up.run).
 .TP
 \fB\-h\fP, \fB\-\-help\fP
 Display usage information.
@@ -36,9 +50,11 @@ Display version information.
 \fBiptables-restore\fP(8), \fBiptables-save\fP(8), \fBiptables\fR(8).
 .SH LEGALESE
 .PP
-iptables\-apply is copyright by Martin F. Krafft.
+Original iptables-apply - Copyright 2006 Martin F. Krafft <madduck@madduck.net>.
+Version 1.1 - Copyright 2010 GW <gw.2010@tnode.com or http://gw.tnode.com/>.
 .PP
-This manual page was written by Martin F. Krafft <madduck@madduck.net>
+This manual page was written by Martin F. Krafft <madduck@madduck.net> and
+extended by GW <gw.2010@tnode.com or http://gw.tnode.com/>.
 .PP
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the Artistic License 2.0.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [iptables PATCH 1/7] iptables: install iptables-apply script and manpage
  2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
                   ` (5 preceding siblings ...)
  2019-12-04 18:18 ` [iptables PATCH 7/7] iptables-apply: script and manpage update Arturo Borrero Gonzalez
@ 2019-12-04 19:05 ` Florian Westphal
  2019-12-05 10:46   ` Pablo Neira Ayuso
  6 siblings, 1 reply; 9+ messages in thread
From: Florian Westphal @ 2019-12-04 19:05 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez; +Cc: netfilter-devel

Arturo Borrero Gonzalez <arturo@netfilter.org> wrote:
> From: Laurence J. Lane <ljlane@debian.org>
> 
> We have the iptables-apply script in the tree (and in the release tarball), but
> is not being installed anywhere. Same for the manpage.
> 
> Arturo says:
>  I'm not a strong supporter of this script, but there are many users of it, so
>  better do things right and do a proper installation.
>  This patch is forwarded from the iptables Debian package, where it has been
>  around for many years now.

Series looks good to me, thanks Arturo.  Feel free to push this out.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [iptables PATCH 1/7] iptables: install iptables-apply script and manpage
  2019-12-04 19:05 ` [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Florian Westphal
@ 2019-12-05 10:46   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2019-12-05 10:46 UTC (permalink / raw)
  To: Florian Westphal; +Cc: Arturo Borrero Gonzalez, netfilter-devel

On Wed, Dec 04, 2019 at 08:05:41PM +0100, Florian Westphal wrote:
> Arturo Borrero Gonzalez <arturo@netfilter.org> wrote:
> > From: Laurence J. Lane <ljlane@debian.org>
> > 
> > We have the iptables-apply script in the tree (and in the release tarball), but
> > is not being installed anywhere. Same for the manpage.
> > 
> > Arturo says:
> >  I'm not a strong supporter of this script, but there are many users of it, so
> >  better do things right and do a proper installation.
> >  This patch is forwarded from the iptables Debian package, where it has been
> >  around for many years now.
> 
> Series looks good to me, thanks Arturo.  Feel free to push this out.

Just pushed this out.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-04 18:17 [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 2/7] iptables: cleanup "allows to" usage Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 3/7] extensions: manpages: cleanup hyphens Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 4/7] libipq: fix spelling in manpage Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 5/7] iptables: mention iptables-apply(8) in manpages Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 6/7] extensions: libxt_sctp: add manpage description Arturo Borrero Gonzalez
2019-12-04 18:18 ` [iptables PATCH 7/7] iptables-apply: script and manpage update Arturo Borrero Gonzalez
2019-12-04 19:05 ` [iptables PATCH 1/7] iptables: install iptables-apply script and manpage Florian Westphal
2019-12-05 10:46   ` Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git