From f2cfa4bbdf4f68f0e4c527da1b2188160792c870 Mon Sep 17 00:00:00 2001
From: Mohit Mehta <mohit.mehta@vyatta.com>
Date: Tue, 2 Feb 2010 16:39:50 -0800
Subject: partial fix for bug 4115 'clear nat translations' does not clear nat
 translations * added op-mode commands to clear counters for NAT rules   clear
 nat counters 			# clear counters for all NAT rules   clear nat
 counters rule <rule-num>	# clear counters for a specific NAT rule

---
 Makefile.am                                        |   1 +
 scripts/vyatta-clear-nat-counters.pl               | 100 +++++++++++++++++++++
 templates-op/clear/nat/counters/node.def           |   2 +-
 templates-op/clear/nat/counters/rule/node.def      |   1 +
 .../clear/nat/counters/rule/node.tag/node.def      |   3 +
 5 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100755 scripts/vyatta-clear-nat-counters.pl
 create mode 100644 templates-op/clear/nat/counters/rule/node.def
 create mode 100644 templates-op/clear/nat/counters/rule/node.tag/node.def

diff --git a/Makefile.am b/Makefile.am
index b7b2432..af54b1f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -8,6 +8,7 @@ curverdir = $(sysconfdir)/config-migrate/current
 sbin_SCRIPTS = scripts/vyatta-update-nat.pl
 sbin_SCRIPTS += scripts/vyatta-show-nat.pl
 sbin_SCRIPTS += scripts/vyatta-show-nat-rules.pl
+sbin_SCRIPTS += scripts/vyatta-clear-nat-counters.pl
 
 bin_sudo_users_SCRIPTS  = scripts/vyatta-clear-nat
 bin_sudo_users_SCRIPTS += scripts/vyatta-nat-translations.pl
diff --git a/scripts/vyatta-clear-nat-counters.pl b/scripts/vyatta-clear-nat-counters.pl
new file mode 100755
index 0000000..53a0be3
--- /dev/null
+++ b/scripts/vyatta-clear-nat-counters.pl
@@ -0,0 +1,100 @@
+#!/usr/bin/perl
+#
+# Module: vyatta-clear-nat-counters.pl
+#
+# **** License ****
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# This code was originally developed by Vyatta, Inc.
+# Portions created by Vyatta are Copyright (C) 2006-2009 Vyatta, Inc.
+# All Rights Reserved.
+#
+# Author: Mohit Mehta
+# Date: February 2010
+# Description: Script to clear nat counters
+#
+# **** End License ****
+#
+
+use Getopt::Long;
+use POSIX;
+use warnings;
+use strict;
+use lib "/opt/vyatta/share/perl5";
+use Vyatta::Config;
+
+# NAT type mapping from config node to iptables chain
+my %chain_hash = ( 'source'        => 'POSTROUTING',
+                   'destination'   => 'PREROUTING',
+                   'masquerade'    => 'POSTROUTING');
+
+sub clear_rule {
+  my $clirule = shift;
+  my $error = undef;
+
+  if ($clirule eq 'all') {
+    # clear counters for all rules in NAT table
+    $error = system("sudo /sbin/iptables -Z -t nat &>/dev/null");
+    return "error clearing NAT rule counters" if $error;
+  } else {
+    # clear counters for a specific NAT rule
+    my $config = new Vyatta::Config;
+    $config->setLevel("service nat rule");
+    my @rules = $config->listOrigNodes();
+
+    # validate that it's a legit CLI rule
+    if (!((scalar(grep(/^$clirule$/, @rules)) > 0))) {
+      return "Invalid NAT rule number \"$clirule\"";
+    }
+
+    # determine rule type
+    my $rule_type = $config->returnOrigValue("$clirule type");
+
+    # find corresponding rulenum in the underlying NAT table
+    my $iptables_rule = undef;
+    my $cmd = "sudo /sbin/iptables -L $chain_hash{$rule_type} -t nat -nv " .
+              "--line-numbers | grep '/\* NAT-$clirule ' | awk {'print \$1'}";
+    $iptables_rule = `$cmd`;
+    return "couldn't find an underlying iptables rule" if ! defined $iptables_rule;
+    chomp $iptables_rule;
+
+    # clear the counters for that rule
+    $cmd = "sudo /sbin/iptables -t nat -Z $chain_hash{$rule_type} $iptables_rule";
+    $error = system($cmd);
+    return "error clearing counters for NAT rule $clirule" if $error;
+  }
+  return;
+}
+
+#
+# main
+#
+
+my ($clirulenum);
+GetOptions("clirule=s" => \$clirulenum);
+
+die "undefined rule number" if ! defined $clirulenum;
+
+my ($error, $warning);
+
+($error, $warning) = clear_rule($clirulenum);
+
+if (defined $warning) {
+    print "$warning\n";
+}
+
+if (defined $error) {
+    print "$error\n";
+    exit 1;
+}
+
+exit 0;
+
+# end of file
diff --git a/templates-op/clear/nat/counters/node.def b/templates-op/clear/nat/counters/node.def
index acd6adb..3327eda 100644
--- a/templates-op/clear/nat/counters/node.def
+++ b/templates-op/clear/nat/counters/node.def
@@ -1,2 +1,2 @@
 help: Clear NAT counters
-run: sudo /sbin/iptables -Z -t nat
+run: /opt/vyatta/sbin/vyatta-clear-nat-counters.pl --clirule=all
diff --git a/templates-op/clear/nat/counters/rule/node.def b/templates-op/clear/nat/counters/rule/node.def
new file mode 100644
index 0000000..806ad0a
--- /dev/null
+++ b/templates-op/clear/nat/counters/rule/node.def
@@ -0,0 +1 @@
+help: Clear counters for a specific NAT rule
diff --git a/templates-op/clear/nat/counters/rule/node.tag/node.def b/templates-op/clear/nat/counters/rule/node.tag/node.def
new file mode 100644
index 0000000..2d1b4a9
--- /dev/null
+++ b/templates-op/clear/nat/counters/rule/node.tag/node.def
@@ -0,0 +1,3 @@
+help: Clear counters for a specific NAT rule
+allowed: ls /opt/vyatta/config/active/service/nat/rule/ 2>/dev/null
+run: /opt/vyatta/sbin/vyatta-clear-nat-counters.pl --clirule="$5"
-- 
cgit v1.2.3