[PATCH] xtables: warn in case old-style (set/getsockopt) tables exist

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Provide a hint that iptables isn't showing all rules because
its using nfnetlink rather than old set/getsockopt.

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 iptables/nft-shared.c   | 29 +++++++++++++++++++++++++++++
 iptables/nft-shared.h   |  1 +
 iptables/xtables-save.c | 20 +++++++++++++++++---
 iptables/xtables.c      |  2 ++
 4 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b89a3e7b9d31..ed0d0ee96b0d 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -904,3 +904,32 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
 
 	return true;
 }
+
+void nft_check_xt_legacy(int family, bool is_ipt_save)
+{
+	static const char tables6[] = "/proc/net/ip6_tables_names";
+	static const char tables4[] = "/proc/net/ip_tables_names";
+	const char *prefix = "ip";
+	FILE *fp = NULL;
+	char buf[1024];
+
+	switch (family) {
+	case NFPROTO_IPV4:
+		fp = fopen(tables4, "r");
+		break;
+	case NFPROTO_IPV6:
+		fp = fopen(tables6, "r");
+		prefix = "ip6";
+		break;
+	default:
+		break;
+	}
+
+	if (!fp)
+		return;
+
+	if (fgets(buf, sizeof(buf), fp))
+		fprintf(stderr, "# Warning: %stables-legacy tables present, use %stables-legacy%s to see them\n",
+			prefix, prefix, is_ipt_save ? "-save" : "");
+	fclose(fp);
+}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 0108b7f976c1..6d04b1a49ee3 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -270,4 +270,5 @@ void xtables_restore_parse(struct nft_handle *h,
 			   struct nft_xt_restore_cb *cb,
 			   int argc, char *argv[]);
 
+void nft_check_xt_legacy(int family, bool is_ipt_save);
 #endif
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 1652fbbc5e2f..c19c9991e5a6 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -44,12 +44,10 @@ static const struct option options[] = {
 };
 
 static int
-do_output(struct nft_handle *h, const char *tablename, bool counters)
+__do_output(struct nft_handle *h, const char *tablename, bool counters)
 {
 	struct nftnl_chain_list *chain_list;
 
-	if (!tablename)
-		return nft_for_each_table(h, do_output, counters) ? 1 : 0;
 
 	if (!nft_table_find(h, tablename)) {
 		printf("Table `%s' does not exist\n", tablename);
@@ -80,6 +78,22 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
 	return 0;
 }
 
+static int
+do_output(struct nft_handle *h, const char *tablename, bool counters)
+{
+	int ret;
+
+	if (!tablename) {
+		ret = nft_for_each_table(h, __do_output, counters);
+		nft_check_xt_legacy(h->family, true);
+		return !!ret;
+	}
+
+	ret = __do_output(h, tablename, counters);
+	nft_check_xt_legacy(h->family, true);
+	return ret;
+}
+
 /* Format:
  * :Chain name POLICY packets bytes
  * rule
diff --git a/iptables/xtables.c b/iptables/xtables.c
index e03e8f317768..53f94b6f9d80 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1238,6 +1238,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 			ret = nft_rule_zero_counters(h, p.chain, p.table,
 						     p.rulenum - 1);
 		}
+		nft_check_xt_legacy(h->family, false);
 		break;
 	case CMD_LIST_RULES:
 	case CMD_LIST_RULES|CMD_ZERO:
@@ -1252,6 +1253,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 			ret = nft_rule_zero_counters(h, p.chain, p.table,
 						     p.rulenum - 1);
 		}
+		nft_check_xt_legacy(h->family, false);
 		break;
 	case CMD_NEW_CHAIN:
 		ret = nft_chain_user_add(h, p.chain, p.table);
-- 
2.17.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux