iptables-restore: Support for extra debug output

Treat --verbose just like iptables itself, increasing debug level with
number of invocations.

To propagate the level into do_command() callback, insert virtual '-v'
flags into rule lines.

The only downside of this is that simple verbose output is changed and
now also prints the rules as they are added - which would be useful if
the lines contained the chain they apply to.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in
index b4b62f92740d1861682f880e077f57339c3b85ef..883da998b0f7eebacdf46cbd730b585114f9850b 100644 (file)
--- a/iptables/iptables-restore.8.in
+++ b/iptables/iptables-restore.8.in
@@ -54,6 +54,7 @@ Only parse and construct the ruleset, but do not commit it.
 .TP
 \fB\-v\fP, \fB\-\-verbose\fP
 Print additional debug info during ruleset processing.
+Specify multiple times to increase debug level.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
 Print the program version number.

diff --git a/iptables/iptables-restore.c b/iptables/iptables-restore.c
index a3efb067d3d90864f6063e5ee46a6b00e4004898..3c0a238917ecdac706aa971de9eb20715f496e2a 100644 (file)
--- a/iptables/iptables-restore.c
+++ b/iptables/iptables-restore.c
@@ -114,7 +114,7 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
                                counters = 1;
                                break;
                        case 'v':
-                               verbose = 1;
+                               verbose++;
                                break;
                        case 'V':
                                printf("%s v%s\n",
@@ -317,11 +317,15 @@ ip46tables_restore_main(const struct iptables_restore_cb *cb,
                        char *pcnt = NULL;
                        char *bcnt = NULL;
                        char *parsestart = buffer;
+                       int i;
 
                        add_argv(&av_store, argv[0], 0);
                        add_argv(&av_store, "-t", 0);
                        add_argv(&av_store, curtable, 0);
 
+                       for (i = 0; !noflush && i < verbose; i++)
+                               add_argv(&av_store, "-v", 0);
+
                        tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line);
                        if (counters && pcnt && bcnt) {
                                add_argv(&av_store, "--set-counters", 0);

diff --git a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0 b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
index fc8559c5bac9efd77223b3b247afbcb1ac2b1135..5daf7a78a5334a8f23d18660133b51f05b2d2c1f 100755 (executable)
--- a/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0014-verbose-restore_0
@@ -33,6 +33,7 @@ Flushing chain \`bar'
 Flushing chain \`foo'
 Deleting chain \`bar'
 Deleting chain \`foo'
+ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
 Flushing chain \`PREROUTING'
 Flushing chain \`INPUT'
 Flushing chain \`OUTPUT'
@@ -41,6 +42,7 @@ Flushing chain \`natbar'
 Flushing chain \`natfoo'
 Deleting chain \`natbar'
 Deleting chain \`natfoo'
+ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
 Flushing chain \`PREROUTING'
 Flushing chain \`OUTPUT'
 Flushing chain \`rawfoo'
@@ -58,9 +60,10 @@ Flushing chain \`OUTPUT'
 Flushing chain \`secfoo'
 Deleting chain \`secfoo'"
 
-for ipt in iptables-restore ip6tables-restore; do
-       diff -u -Z <(echo "$EXPECT") <($XT_MULTI $ipt -v <<< "$DUMP")
-done
+EXPECT6=$(sed -e 's/0\.0\.0\.0/::/g' -e 's/opt --/opt   /' <<< "$EXPECT")
+
+diff -u -Z <(echo "$EXPECT") <($XT_MULTI iptables-restore -v <<< "$DUMP")
+diff -u -Z <(echo "$EXPECT6") <($XT_MULTI ip6tables-restore -v <<< "$DUMP")
 
 DUMP="*filter
 :baz - [0:0]

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 8ca2abffa5d366e2bac54dcd9d49a400a091e05d..f5aabf3cc19441dca84848108e42e2284e688890 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -206,11 +206,15 @@ static void xtables_restore_parse_line(struct nft_handle *h,
                char *pcnt = NULL;
                char *bcnt = NULL;
                char *parsestart = buffer;
+               int i;
 
                add_argv(&state->av_store, xt_params->program_name, 0);
                add_argv(&state->av_store, "-t", 0);
                add_argv(&state->av_store, state->curtable->name, 0);
 
+               for (i = 0; !h->noflush && i < verbose; i++)
+                       add_argv(&state->av_store, "-v", 0);
+
                tokenize_rule_counters(&parsestart, &pcnt, &bcnt, line);
                if (counters && pcnt && bcnt) {
                        add_argv(&state->av_store, "--set-counters", 0);
@@ -309,7 +313,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
                                counters = 1;
                                break;
                        case 'v':
-                               verbose = 1;
+                               verbose++;
                                break;
                        case 'V':
                                printf("%s v%s\n", prog_name, prog_vers);