From 8b1ec8d4ec33663840524165c2788256765c19a5 Mon Sep 17 00:00:00 2001
From: Jordi Sanfeliu <jordi@fibranet.cat>
Date: Thu, 26 Jun 2014 11:50:17 +0200
Subject: [PATCH] added the new option 'ip_default_table' to define in which
 table Monitorix ill put all iptables rules for network traffic accounting
 monitoring

---
 lib/Monitorix.pm | 17 +++++++++--------
 lib/nginx.pm     | 13 ++++++++-----
 lib/port.pm      | 19 +++++++++++--------
 lib/traffacct.pm | 15 +++++++++------
 monitorix        |  1 +
 5 files changed, 38 insertions(+), 27 deletions(-)

diff --git a/lib/Monitorix.pm b/lib/Monitorix.pm
index 008908e..1419220 100644
--- a/lib/Monitorix.pm
+++ b/lib/Monitorix.pm
@@ -302,6 +302,7 @@ sub get_ati_data {
 # flushes out all Monitorix iptables/ipfw rules
 sub flush_accounting_rules {
 	my ($config, $debug) = @_;
+	my $table = $config->{ip_default_table};
 
 	if($config->{os} eq "Linux") {
 		my $num = 0;
@@ -309,7 +310,7 @@ sub flush_accounting_rules {
 		logger("Flushing out iptables rules.") if $debug;
 		{
 			my @names;
-			if(open(IN, "iptables -nxvL INPUT --line-numbers |")) {
+			if(open(IN, "iptables -t $table -nxvL INPUT --line-numbers |")) {
 				my @rules;
 				while(<IN>) {
 					my ($rule, undef, undef, $name) = split(' ', $_);
@@ -321,11 +322,11 @@ sub flush_accounting_rules {
 				close(IN);
 				@rules = reverse(@rules);
 				foreach(@rules) {
-					system("iptables -D INPUT $_");
+					system("iptables -t $table -D INPUT $_");
 					$num++;
 				}
 			}
-			if(open(IN, "iptables -nxvL OUTPUT --line-numbers |")) {
+			if(open(IN, "iptables -t $table -nxvL OUTPUT --line-numbers |")) {
 				my @rules;
 				while(<IN>) {
 					my ($rule, undef, undef, $name) = split(' ', $_);
@@ -336,7 +337,7 @@ sub flush_accounting_rules {
 				close(IN);
 				@rules = reverse(@rules);
 				foreach(@rules) {
-					system("iptables -D OUTPUT $_");
+					system("iptables -t $table -D OUTPUT $_");
 					$num++;
 				}
 			}
@@ -344,7 +345,7 @@ sub flush_accounting_rules {
 				system("iptables -X $_");
 			}
 		}
-		if(open(IN, "iptables -nxvL FORWARD --line-numbers |")) {
+		if(open(IN, "iptables -t $table -nxvL FORWARD --line-numbers |")) {
 			my @rules;
 			my @names;
 			while(<IN>) {
@@ -357,12 +358,12 @@ sub flush_accounting_rules {
 			close(IN);
 			@rules = reverse(@rules);
 			foreach(@rules) {
-				system("iptables -D FORWARD $_");
+				system("iptables -t $table -D FORWARD $_");
 				$num++;
 			}
 			foreach(@names) {
-				system("iptables -F $_");
-				system("iptables -X $_");
+				system("iptables -t $table -F $_");
+				system("iptables -t $table -X $_");
 			}
 		}
 		logger("$num iptables rules have been flushed.") if $debug;
diff --git a/lib/nginx.pm b/lib/nginx.pm
index 62d69e0..5eeb251 100644
--- a/lib/nginx.pm
+++ b/lib/nginx.pm
@@ -44,6 +44,8 @@ sub nginx_init {
 	my @max;
 	my @last;
 
+	my $table = $config->{ip_default_table};
+
 	if(-e $rrd) {
 		$info = RRDs::info($rrd);
 		for my $key (keys %$info) {
@@ -114,9 +116,9 @@ sub nginx_init {
 	}
 
 	if($config->{os} eq "Linux") {
-		system("iptables -N monitorix_nginx_IN 2>/dev/null");
-		system("iptables -I INPUT -p tcp --sport 1024:65535 --dport $nginx->{port} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
-		system("iptables -I OUTPUT -p tcp --sport $nginx->{port} --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
+		system("iptables -t $table -N monitorix_nginx_IN 2>/dev/null");
+		system("iptables -t $table -I INPUT -p tcp --sport 1024:65535 --dport $nginx->{port} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
+		system("iptables -t $table -I OUTPUT -p tcp --sport $nginx->{port} --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_nginx_IN -c 0 0");
 	}
 	if(grep {$_ eq $config->{os}} ("FreeBSD", "OpenBSD", "NetBSD")) {
 		system("ipfw delete $nginx->{rule} 2>/dev/null");
@@ -135,6 +137,7 @@ sub nginx_update {
 	my $rrd = $config->{base_lib} . $package . ".rrd";
 	my $nginx = $config->{nginx};
 
+	my $table = $config->{ip_default_table};
 	my $reqs = 0;
 	my $tot = 0;
 	my $reads = 0;
@@ -182,7 +185,7 @@ sub nginx_update {
 
 	if($config->{os} eq "Linux") {
 		my $val;
-		open(IN, "iptables -nxvL INPUT |");
+		open(IN, "iptables -t $table -nxvL INPUT |");
 		while(<IN>) {
 			if(/ monitorix_nginx_IN /) {
 				(undef, $val) = split(' ', $_);
@@ -195,7 +198,7 @@ sub nginx_update {
 			}
 		}
 		close(IN);
-		open(IN, "iptables -nxvL OUTPUT |");
+		open(IN, "iptables -t $table -nxvL OUTPUT |");
 		while(<IN>) {
 			if(/ monitorix_nginx_IN /) {
 				(undef, $val) = split(' ', $_);
diff --git a/lib/port.pm b/lib/port.pm
index 0022f74..e73a20b 100644
--- a/lib/port.pm
+++ b/lib/port.pm
@@ -45,6 +45,8 @@ sub port_init {
 	my @max;
 	my @last;
 
+	my $table = $config->{ip_default_table};
+
 	if(-e $rrd) {
 		$info = RRDs::info($rrd);
 		for my $key (keys %$info) {
@@ -140,14 +142,14 @@ sub port_init {
 				my $p = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[1])) || "all";
 				my $conn = trim(lc((split(',', $port->{desc}->{$pl[$n]}))[2]));
 				if($conn eq "in" || $conn eq "in/out") {
-					system("iptables -N monitorix_IN_$n 2>/dev/null");
-					system("iptables -I INPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
-					system("iptables -I OUTPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
+					system("iptables -t $table -N monitorix_IN_$n 2>/dev/null");
+					system("iptables -t $table -I INPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
+					system("iptables -t $table -I OUTPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_IN_$n -c 0 0");
 				}
 				if($conn eq "out" || $conn eq "in/out") {
-					system("iptables -N monitorix_OUT_$n 2>/dev/null");
-					system("iptables -I INPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
-					system("iptables -I OUTPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
+					system("iptables -t $table -N monitorix_OUT_$n 2>/dev/null");
+					system("iptables -t $table -I INPUT -p $p --sport $np --dport 1024:65535 -m conntrack --ctstate ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
+					system("iptables -t $table -I OUTPUT -p $p --sport 1024:65535 --dport $np -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j monitorix_OUT_$n -c 0 0");
 				}
 				if($conn ne "in" && $conn ne "out" && $conn ne "in/out") {
 					logger("$myself: Invalid connection type '$conn'; must be 'in', 'out' or 'in/out'.");
@@ -186,12 +188,13 @@ sub port_update {
 	my @i_out;
 	my @o_in;
 	my @o_out;
+	my $table = $config->{ip_default_table};
 
 	my $n;
 	my $rrdata = "N";
 
 	if($config->{os} eq "Linux") {
-		open(IN, "iptables -nxvL INPUT |");
+		open(IN, "iptables -t $table -nxvL INPUT |");
 		while(<IN>) {
 			for($n = 0; $n < $port->{max}; $n++) {
 				$i_in[$n] = 0 unless $i_in[$n];
@@ -215,7 +218,7 @@ sub port_update {
 			}
 		}
 		close(IN);
-		open(IN, "iptables -nxvL OUTPUT |");
+		open(IN, "iptables -t $table -nxvL OUTPUT |");
 		while(<IN>) {
 			for($n = 0; $n < $port->{max}; $n++) {
 				$o_out[$n] = 0 unless $o_out[$n];
diff --git a/lib/traffacct.pm b/lib/traffacct.pm
index bdc472c..0fe976f 100644
--- a/lib/traffacct.pm
+++ b/lib/traffacct.pm
@@ -47,6 +47,8 @@ sub traffacct_init {
 	my @max;
 	my @last;
 
+	my $table = $config->{ip_default_table};
+
 	if(!grep {$_ eq $config->{os}} ("Linux")) {
 		logger("$myself is not supported yet by your operating system ($config->{os}.");
 		return;
@@ -144,14 +146,14 @@ sub traffacct_init {
 					$ip = inet_ntoa((gethostbyname($name))[4]);
 					$ip = $ip . "/32";
 				}
-				open(IN, "iptables -nxvL monitorix_daily_$name 2>/dev/null |");
+				open(IN, "iptables -t $table -nxvL monitorix_daily_$name 2>/dev/null |");
 				my @data = <IN>;
 				close(IN);
 				if(!scalar(@data)) {
-					system("iptables -N monitorix_daily_$name");
-					system("iptables -I FORWARD -j monitorix_daily_$name");
-					system("iptables -A monitorix_daily_$name -s $ip -d 0/0 -o $config->{net}->{gateway}");
-					system("iptables -A monitorix_daily_$name -s 0/0 -d $ip -i $config->{net}->{gateway}");
+					system("iptables -t $table -N monitorix_daily_$name");
+					system("iptables -t $table -I FORWARD -j monitorix_daily_$name");
+					system("iptables -t $table -A monitorix_daily_$name -s $ip -d 0/0 -o $config->{net}->{gateway}");
+					system("iptables -t $table -A monitorix_daily_$name -s 0/0 -d $ip -i $config->{net}->{gateway}");
 				}
 			}
 		}
@@ -177,6 +179,7 @@ sub traffacct_update {
 	my $rrd = $config->{base_lib} . $package . ".rrd";
 	my $traffacct = $config->{traffacct};
 
+	my $table = $config->{ip_default_table};
 	my @in;
 	my @out;
 
@@ -198,7 +201,7 @@ sub traffacct_update {
 				$ip = inet_ntoa((gethostbyname($name))[4]);
 			}
 			$ip =~ s/\/\d+//;
-			open(IN, "iptables -nxvL monitorix_daily_$name |");
+			open(IN, "iptables -t $table -nxvL monitorix_daily_$name |");
 			$in[$n] = 0 unless $in[$n];
 			$out[$n] = 0 unless $out[$n];
 			while(<IN>) {
diff --git a/monitorix b/monitorix
index 685d2eb..e34f74c 100755
--- a/monitorix
+++ b/monitorix
@@ -530,6 +530,7 @@ if(open(OUT, "> " . $config{base_dir} . "/cgi/monitorix.conf.path")) {
 	logger("Unable to create the file '$config{base_dir}/cgi/monitorix.conf.path'. $!");
 }
 
+$config{ip_default_table} = "filter" if !$config{ip_default_table};
 flush_accounting_rules(\%config, $options{d});
 
 logger("Initializing graphs.");