From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH v2] misc-progs: getipstat: Refactor + extend Date: Tue, 04 May 2021 15:49:39 +0100 Message-ID: In-Reply-To: <20210427200732.6830-1-robin.roevens@disroot.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6214756270206370580==" List-Id: --===============6214756270206370580== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Thank you. This looks very good and I merged it into next. Best, -Michael > On 27 Apr 2021, at 21:07, Robin Roevens wrote: >=20 > * Return output of iptables directly instead of writing it to files. > * Make iptables wait for 5s if xtables is locked by another iptables > process. (--wait 5 argument) > * Add optional parameter "-x" to have iptables report exact numbers. > * Add optional parameter "-f" to display the filter table (default). > * Add optional parameter "-n" to display the nat table. > * Add optional parameter "-m" to display the mangle table. > * Adapt iptables.cgi and guardian.cgi to catch getipstat output > instead of reading temp-files. >=20 > Signed-off-by: Robin Roevens > --- > html/cgi-bin/guardian.cgi | 12 ++----- > html/cgi-bin/iptables.cgi | 18 ++++------ > src/misc-progs/getipstat.c | 67 +++++++++++++++++++++++++++++++++----- > 3 files changed, 66 insertions(+), 31 deletions(-) >=20 > diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi > index fb16be00e..552c67211 100644 > --- a/html/cgi-bin/guardian.cgi > +++ b/html/cgi-bin/guardian.cgi > @@ -829,12 +829,9 @@ sub GetBlockedHosts() { > my @hosts; >=20 > # Launch helper to get chains from iptables. > - system('/usr/local/bin/getipstat'); > + open (FILE, '/usr/local/bin/getipstat | '); >=20 > - # Open temporary file which contains the chains and rules. > - open (FILE, '/var/tmp/iptables.txt'); > - > - # Loop through the entire file. > + # Loop through the entire output. > while () { > my $line =3D $_; >=20 > @@ -864,11 +861,6 @@ sub GetBlockedHosts() { > # Close filehandle. > close(FILE); >=20 > - # Remove recently created temporary files of the "getipstat" binary. > - system("rm -f /var/tmp/iptables.txt"); > - system("rm -f /var/tmp/iptablesmangle.txt"); > - system("rm -f /var/tmp/iptablesnat.txt"); > - > # Convert entries, sort them, write back and store the sorted entries into= new array. > my @sorted =3D map { $_->[0] } > sort { $a->[1] <=3D> $b->[1] } > diff --git a/html/cgi-bin/iptables.cgi b/html/cgi-bin/iptables.cgi > index b52d74fcf..f900562d9 100644 > --- a/html/cgi-bin/iptables.cgi > +++ b/html/cgi-bin/iptables.cgi > @@ -44,8 +44,6 @@ my %cgiparams=3D(); >=20 > &Header::getcgihash(\%cgiparams); >=20 > -system('/usr/local/bin/getipstat'); > - > &Header::showhttpheaders(); > &Header::openpage($Lang::tr{'ipts'}, 1, ''); > &Header::openbigbox('100%', 'LEFT'); > @@ -84,11 +82,11 @@ print < END > ; >=20 > -# We=C2=B4ll open the txt files and extract each line, if the line > +# We=C2=B4ll get iptables output and examine each line, if the line > # start with an Chain the the name, start- and endline of the > # chain is extracted into a hash >=20 > - open (FILE, '/var/tmp/iptables.txt'); > + open (FILE, '/usr/local/bin/getipstat | '); > while (){ >=20 > $iplines[$lines] =3D $_; > @@ -206,11 +204,11 @@ print < END > ; >=20 > -# We=C2=B4ll open the txt files and extract each line, if the line > +# We=C2=B4ll get iptables output and examine each line, if the line > # start with an Chain the the name, start- and endline of the > # chain is extracted into a hash >=20 > - open (FILE, '/var/tmp/iptablesmangle.txt'); > + open (FILE, '/usr/local/bin/getipstat -m | '); > while (){ >=20 > $ipmlines[$manlines] =3D $_; > @@ -333,11 +331,11 @@ print < END > ; >=20 > -# We=C2=B4ll open the txt files and extract each line, if the line > +# We=C2=B4ll get iptables output and examine each line, if the line > # start with an Chain the the name, start- and endline of the > # chain is extracted into a hash >=20 > - open (FILE, '/var/tmp/iptablesnat.txt'); > + open (FILE, '/usr/local/bin/getipstat -n | '); > while (){ >=20 > $ipnatlines[$natlines] =3D $_; > @@ -433,7 +431,3 @@ print "
"; > &Header::closebox(); > &Header::closebigbox(); > &Header::closepage(); > - > -system("rm -f /var/tmp/iptables.txt"); > -system("rm -f /var/tmp/iptablesmangle.txt"); > -system("rm -f /var/tmp/iptablesnat.txt"); > diff --git a/src/misc-progs/getipstat.c b/src/misc-progs/getipstat.c > index c806d54a9..99d053bbf 100644 > --- a/src/misc-progs/getipstat.c > +++ b/src/misc-progs/getipstat.c > @@ -2,6 +2,15 @@ > * > * Get the list from IPTABLES -L > *=20 > + * Optional commandline parameters: > + * -x=20 > + * instruct iptables to expand numbers > + * -f=20 > + * display filter table=20 > + * -n > + * display nat table > + * -m > + * display mangle table > */ >=20 > #include > @@ -9,20 +18,60 @@ > #include > #include > #include > -#include > #include "setuid.h" >=20 > - > -int main(void) > +int main(int argc, char** argv) > { > + // Set defaults > + // first argument has to be "iptables" since execve executes the program = pointed to by filename > + // but /sbin/iptables is actually a symlink to /sbin/xtables-legacy-multi= hence that program is executed > + // however without the notion that it was called as "iptables". So we hav= e to pass "iptables" as first > + // argument. > + char *args[10] =3D {"iptables", "--list", "--verbose", "--numeric", "--wa= it", "5", NULL, NULL, NULL, NULL}; > + char *usage =3D "getipstat [-x][-f|-n|-m]"; > + unsigned int pcount =3D 6; > + unsigned int table_set =3D 0; > + > + int opt; > +=09 > if (!(initsetuid())) > exit(1); >=20 > - safe_system("/sbin/iptables -L -v -n > /var/tmp/iptables.txt"); > - safe_system("/sbin/iptables -L -v -n -t nat > /var/tmp/iptablesnat.txt"); > - safe_system("/sbin/iptables -t mangle -L -v -n > /var/tmp/iptablesmangle.= txt"); > - safe_system("chown nobody.nobody /var/tmp/iptables.txt /var/tmp/iptablesn= at.txt /var/tmp/iptablesmangle.txt"); > -=09 > - return 0; > + // Parse command line arguments > + if (argc > 1) { > + while ((opt =3D getopt(argc, argv, "xfnm")) !=3D -1) { > + switch(opt) { > + case 'x': > + args[pcount++] =3D "--exact"; > + break; > + case 'f': > + table_set++; > + break; > + case 'n': > + if (table_set =3D=3D 0) { > + args[pcount++] =3D "--table"; > + args[pcount++] =3D "nat"; > + } > + table_set++; > + break; > + case 'm': > + if (table_set =3D=3D 0) { > + args[pcount++] =3D "--table"; > + args[pcount++] =3D "mangle"; > + } > + table_set++; > + break; > + default: > + fprintf(stderr, "\nBad argument given.\n\n%s\n", usage); > + exit(1); > + } > + } > + if (table_set > 1) { > + fprintf(stderr, "\nArguments -f/-n/-m are mutualy exclusive.\n\n%s\n", = usage); > + exit(1); > + } > + } > + > + return run("/sbin/iptables", args); > } >=20 > --=20 > 2.31.1 >=20 >=20 > --=20 > Dit bericht is gescanned op virussen en andere gevaarlijke > inhoud door MailScanner en lijkt schoon te zijn. >=20 --===============6214756270206370580==--