From patchwork Tue Apr 27 20:07:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 4229 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4FVCVw4Ks1z44RV for ; Tue, 27 Apr 2021 20:08:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4FVCVt5y36zBs; Tue, 27 Apr 2021 20:08:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4FVCVt2hrFz2xxY; Tue, 27 Apr 2021 20:08:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4FVCVs6pDhz2xWS for ; Tue, 27 Apr 2021 20:08:05 +0000 (UTC) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4FVCVs06MfzBs for ; Tue, 27 Apr 2021 20:08:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 49B8F52DDD for ; Tue, 27 Apr 2021 22:08:04 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with UTF8SMTP id fb-hCQ51T0SB for ; Tue, 27 Apr 2021 22:08:02 +0200 (CEST) Received: from amaterasu.sicho.home ([192.168.0.1] helo=chojin.sicho.home) by filekeeper.sicho.home with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1lbTzn-0006OE-I0; Tue, 27 Apr 2021 22:07:47 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1619554080; bh=F0+ZEA+sxzzNCbGvRY1DHKg5XMTuAhTDuHJaMZ39ncA=; h=From:To:Cc:Subject:Date; b=PdGtMrLr8BR808l7bHxGhlmF++iV4HbVS8Ojs0VgQlwFYx+Ygtaf5Z+T1jKhxFGER mLkF4xCpHoRTklIhSE2X/aI0g+AlzWTkPMTeKnrRTgMu0q8Mc+rsURbqc8oPGb2NSI f/ohmRDo8O7UMTZzP1QWRS5RFPK7J+XOI4OdJeMAdBv2nIcBhFVMiLRP/Za5tM3VJV xOPghBtCvmRgB5IeXVe2JdOacNudo9DL50+UBvuLjHsG/gzrlYc6q1YFtArNPhA11o cXa4fxyKYSmCIbwah2P8+VCZuvyx1sWe82HkmO3at0H0lbbAncmCG6jf5I77ruDE1q vnXFNZD9ixiew== From: Robin Roevens To: development@lists.ipfire.org Subject: [PATCH v2] misc-progs: getipstat: Refactor + extend Date: Tue, 27 Apr 2021 22:07:32 +0200 Message-Id: <20210427200732.6830-1-robin.roevens@disroot.org> Mime-Version: 1.0 X-filekeeper-MailScanner-ID: 1lbTzn-0006OE-I0 X-filekeeper-MailScanner: Found to be clean X-filekeeper-MailScanner-From: robin.roevens@disroot.org X-filekeeper-MailScanner-Watermark: 1620158871.42915@TR3NaBizwmDkADUk/KAjyg ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1619554085; a=rsa-sha256; cv=none; b=AtbsohhHT9e0abYpbLw4RyiiVAnbL31QbADsMuxD3FEsp4yID/CO+RcSABAKMpyYtR9CAl qQxnLmUojWSY0eEPmJvxXr5etEmFDZzgbpOr7pNm7PTsu2fNyl40Gn2UQYevNYuwRimuCB 0+ICJQFQjyBFjudBBr8wav84OS2imYYTNxZFl4XD3JXZM+pBhHCEfp7J6A484SAdrfR/BS nvcTBqVyoqpL3MXnKd5gyRJT06lPCJYNkbadKMCMsVT9tLZFzx/CeqCLb8C1KToap+EXZT gjhP+QNaqg7OhBIxY/lRIPsJX9r9sbgzIR2imdQRWBxENLpYKYiydZyu5LQ1Mg== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=PdGtMrLr; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1619554085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=AziNgsf7vvkYXt67SL9gSJ8oaUNwaFQxWXwX0xLU3nY=; b=MdnHCJyPPinuiwCK5KBZWfDdOSiasE8oKjKWLInfl6nQ0uTKU59k+vF94Nmrx1XOPHl4fx m+YQaiYGLNasHYMMUldxPPqyfrJuj0zo7+bpgxxNnlNfxSegQpx0B2HfGxygMy/zJF4fZf Ifo8FYSROX7kku+fQhNIj3QohkYi/nTJEU8mRCedWZRTwwYyVYjebAdp1jz5GJsvLdy8ME hYk3t9NNb5jDyIPY6qhd1TOJaKFU26qQeZX4Wk03r/3KvilKFLYo0mn9Md8EwxJ6TB7qTy QrS/DzsYTfFhiRMhSBeSp0RUTg/XylTIzdSeSEmRDTzN4omV1/ifcYxzkrSpcw== X-Spamd-Result: default: False [-3.72 / 11.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[disroot.org:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; IP_REPUTATION_HAM(-1.21)[asn: 50673(-0.34), country: NL(-0.01), ip: 178.21.23.139(-0.86)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; R_SPF_ALLOW(-0.20)[+a]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; MX_GOOD(-0.01)[]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,quarantine]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; BAYES_HAM(-3.00)[99.99%] X-Rspamd-Queue-Id: 4FVCVs06MfzBs Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b=PdGtMrLr; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org X-Rspamd-Server: mail01.haj.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" * Return output of iptables directly instead of writing it to files. * Make iptables wait for 5s if xtables is locked by another iptables process. (--wait 5 argument) * Add optional parameter "-x" to have iptables report exact numbers. * Add optional parameter "-f" to display the filter table (default). * Add optional parameter "-n" to display the nat table. * Add optional parameter "-m" to display the mangle table. * Adapt iptables.cgi and guardian.cgi to catch getipstat output instead of reading temp-files. Signed-off-by: Robin Roevens --- html/cgi-bin/guardian.cgi | 12 ++----- html/cgi-bin/iptables.cgi | 18 ++++------ src/misc-progs/getipstat.c | 67 +++++++++++++++++++++++++++++++++----- 3 files changed, 66 insertions(+), 31 deletions(-) diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index fb16be00e..552c67211 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -829,12 +829,9 @@ sub GetBlockedHosts() { my @hosts; # Launch helper to get chains from iptables. - system('/usr/local/bin/getipstat'); + open (FILE, '/usr/local/bin/getipstat | '); - # Open temporary file which contains the chains and rules. - open (FILE, '/var/tmp/iptables.txt'); - - # Loop through the entire file. + # Loop through the entire output. while () { my $line = $_; @@ -864,11 +861,6 @@ sub GetBlockedHosts() { # Close filehandle. close(FILE); - # Remove recently created temporary files of the "getipstat" binary. - system("rm -f /var/tmp/iptables.txt"); - system("rm -f /var/tmp/iptablesmangle.txt"); - system("rm -f /var/tmp/iptablesnat.txt"); - # Convert entries, sort them, write back and store the sorted entries into new array. my @sorted = map { $_->[0] } sort { $a->[1] <=> $b->[1] } diff --git a/html/cgi-bin/iptables.cgi b/html/cgi-bin/iptables.cgi index b52d74fcf..f900562d9 100644 --- a/html/cgi-bin/iptables.cgi +++ b/html/cgi-bin/iptables.cgi @@ -44,8 +44,6 @@ my %cgiparams=(); &Header::getcgihash(\%cgiparams); -system('/usr/local/bin/getipstat'); - &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ipts'}, 1, ''); &Header::openbigbox('100%', 'LEFT'); @@ -84,11 +82,11 @@ print <){ $iplines[$lines] = $_; @@ -206,11 +204,11 @@ print <){ $ipmlines[$manlines] = $_; @@ -333,11 +331,11 @@ print <){ $ipnatlines[$natlines] = $_; @@ -433,7 +431,3 @@ print "
"; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); - -system("rm -f /var/tmp/iptables.txt"); -system("rm -f /var/tmp/iptablesmangle.txt"); -system("rm -f /var/tmp/iptablesnat.txt"); diff --git a/src/misc-progs/getipstat.c b/src/misc-progs/getipstat.c index c806d54a9..99d053bbf 100644 --- a/src/misc-progs/getipstat.c +++ b/src/misc-progs/getipstat.c @@ -2,6 +2,15 @@ * * Get the list from IPTABLES -L * + * Optional commandline parameters: + * -x + * instruct iptables to expand numbers + * -f + * display filter table + * -n + * display nat table + * -m + * display mangle table */ #include @@ -9,20 +18,60 @@ #include #include #include -#include #include "setuid.h" - -int main(void) +int main(int argc, char** argv) { + // Set defaults + // first argument has to be "iptables" since execve executes the program pointed to by filename + // but /sbin/iptables is actually a symlink to /sbin/xtables-legacy-multi hence that program is executed + // however without the notion that it was called as "iptables". So we have to pass "iptables" as first + // argument. + char *args[10] = {"iptables", "--list", "--verbose", "--numeric", "--wait", "5", NULL, NULL, NULL, NULL}; + char *usage = "getipstat [-x][-f|-n|-m]"; + unsigned int pcount = 6; + unsigned int table_set = 0; + + int opt; + if (!(initsetuid())) exit(1); - safe_system("/sbin/iptables -L -v -n > /var/tmp/iptables.txt"); - safe_system("/sbin/iptables -L -v -n -t nat > /var/tmp/iptablesnat.txt"); - safe_system("/sbin/iptables -t mangle -L -v -n > /var/tmp/iptablesmangle.txt"); - safe_system("chown nobody.nobody /var/tmp/iptables.txt /var/tmp/iptablesnat.txt /var/tmp/iptablesmangle.txt"); - - return 0; + // Parse command line arguments + if (argc > 1) { + while ((opt = getopt(argc, argv, "xfnm")) != -1) { + switch(opt) { + case 'x': + args[pcount++] = "--exact"; + break; + case 'f': + table_set++; + break; + case 'n': + if (table_set == 0) { + args[pcount++] = "--table"; + args[pcount++] = "nat"; + } + table_set++; + break; + case 'm': + if (table_set == 0) { + args[pcount++] = "--table"; + args[pcount++] = "mangle"; + } + table_set++; + break; + default: + fprintf(stderr, "\nBad argument given.\n\n%s\n", usage); + exit(1); + } + } + if (table_set > 1) { + fprintf(stderr, "\nArguments -f/-n/-m are mutualy exclusive.\n\n%s\n", usage); + exit(1); + } + } + + return run("/sbin/iptables", args); }