From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v2] misc-progs: getipstat: Refactor + extend Date: Tue, 27 Apr 2021 22:07:32 +0200 Message-ID: <20210427200732.6830-1-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8933433849648832691==" List-Id: --===============8933433849648832691== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable * Return output of iptables directly instead of writing it to files. * Make iptables wait for 5s if xtables is locked by another iptables process. (--wait 5 argument) * Add optional parameter "-x" to have iptables report exact numbers. * Add optional parameter "-f" to display the filter table (default). * Add optional parameter "-n" to display the nat table. * Add optional parameter "-m" to display the mangle table. * Adapt iptables.cgi and guardian.cgi to catch getipstat output instead of reading temp-files. Signed-off-by: Robin Roevens --- html/cgi-bin/guardian.cgi | 12 ++----- html/cgi-bin/iptables.cgi | 18 ++++------ src/misc-progs/getipstat.c | 67 +++++++++++++++++++++++++++++++++----- 3 files changed, 66 insertions(+), 31 deletions(-) diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index fb16be00e..552c67211 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -829,12 +829,9 @@ sub GetBlockedHosts() { my @hosts; =20 # Launch helper to get chains from iptables. - system('/usr/local/bin/getipstat'); + open (FILE, '/usr/local/bin/getipstat | '); =20 - # Open temporary file which contains the chains and rules. - open (FILE, '/var/tmp/iptables.txt'); - - # Loop through the entire file. + # Loop through the entire output. while () { my $line =3D $_; =20 @@ -864,11 +861,6 @@ sub GetBlockedHosts() { # Close filehandle. close(FILE); =20 - # Remove recently created temporary files of the "getipstat" binary. - system("rm -f /var/tmp/iptables.txt"); - system("rm -f /var/tmp/iptablesmangle.txt"); - system("rm -f /var/tmp/iptablesnat.txt"); - # Convert entries, sort them, write back and store the sorted entries into = new array. my @sorted =3D map { $_->[0] } sort { $a->[1] <=3D> $b->[1] } diff --git a/html/cgi-bin/iptables.cgi b/html/cgi-bin/iptables.cgi index b52d74fcf..f900562d9 100644 --- a/html/cgi-bin/iptables.cgi +++ b/html/cgi-bin/iptables.cgi @@ -44,8 +44,6 @@ my %cgiparams=3D(); =20 &Header::getcgihash(\%cgiparams); =20 -system('/usr/local/bin/getipstat'); - &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipts'}, 1, ''); &Header::openbigbox('100%', 'LEFT'); @@ -84,11 +82,11 @@ print <){ =20 $iplines[$lines] =3D $_; @@ -206,11 +204,11 @@ print <){ =20 $ipmlines[$manlines] =3D $_; @@ -333,11 +331,11 @@ print <){ =20 $ipnatlines[$natlines] =3D $_; @@ -433,7 +431,3 @@ print "
"; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); - -system("rm -f /var/tmp/iptables.txt"); -system("rm -f /var/tmp/iptablesmangle.txt"); -system("rm -f /var/tmp/iptablesnat.txt"); diff --git a/src/misc-progs/getipstat.c b/src/misc-progs/getipstat.c index c806d54a9..99d053bbf 100644 --- a/src/misc-progs/getipstat.c +++ b/src/misc-progs/getipstat.c @@ -2,6 +2,15 @@ * * Get the list from IPTABLES -L *=20 + * Optional commandline parameters: + * -x=20 + * instruct iptables to expand numbers + * -f=20 + * display filter table=20 + * -n + * display nat table + * -m + * display mangle table */ =20 #include @@ -9,20 +18,60 @@ #include #include #include -#include #include "setuid.h" =20 - -int main(void) +int main(int argc, char** argv) { + // Set defaults + // first argument has to be "iptables" since execve executes the program po= inted to by filename + // but /sbin/iptables is actually a symlink to /sbin/xtables-legacy-multi h= ence that program is executed + // however without the notion that it was called as "iptables". So we have = to pass "iptables" as first + // argument. + char *args[10] =3D {"iptables", "--list", "--verbose", "--numeric", "--wait= ", "5", NULL, NULL, NULL, NULL}; + char *usage =3D "getipstat [-x][-f|-n|-m]"; + unsigned int pcount =3D 6; + unsigned int table_set =3D 0; + + int opt; +=09 if (!(initsetuid())) exit(1); =20 - safe_system("/sbin/iptables -L -v -n > /var/tmp/iptables.txt"); - safe_system("/sbin/iptables -L -v -n -t nat > /var/tmp/iptablesnat.txt"); - safe_system("/sbin/iptables -t mangle -L -v -n > /var/tmp/iptablesmangle.tx= t"); - safe_system("chown nobody.nobody /var/tmp/iptables.txt /var/tmp/iptablesnat= .txt /var/tmp/iptablesmangle.txt"); -=09 - return 0; + // Parse command line arguments + if (argc > 1) { + while ((opt =3D getopt(argc, argv, "xfnm")) !=3D -1) { + switch(opt) { + case 'x': + args[pcount++] =3D "--exact"; + break; + case 'f': + table_set++; + break; + case 'n': + if (table_set =3D=3D 0) { + args[pcount++] =3D "--table"; + args[pcount++] =3D "nat"; + } + table_set++; + break; + case 'm': + if (table_set =3D=3D 0) { + args[pcount++] =3D "--table"; + args[pcount++] =3D "mangle"; + } + table_set++; + break; + default: + fprintf(stderr, "\nBad argument given.\n\n%s\n", usage); + exit(1); + } + } + if (table_set > 1) { + fprintf(stderr, "\nArguments -f/-n/-m are mutualy exclusive.\n\n%s\n", us= age); + exit(1); + } + } + + return run("/sbin/iptables", args); } =20 --=20 2.31.1 --=20 Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn. --===============8933433849648832691==--