Apart from allowing to filter by these families, add missing switch()
cases in chain and rule callbacks.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/xtables-monitor.8.in | 12 +++++++++---
iptables/xtables-monitor.c | 23 +++++++++++++++++++++--
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index 19eb729c51240..6bde54fa4a359 100644
--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
@@ -2,7 +2,7 @@
.SH NAME
xtables-monitor \(em show changes to rule set and trace-events
.SH SYNOPSIS
-\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-4\fP|\fB\-6\fP]
+\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-0\fP|\fB-1\fP|\fB\-4\fP|\fB\-6\fP]
.PP
\
.SH DESCRIPTION
@@ -24,11 +24,17 @@ the name of the program that caused the rule update.
Watch for trace events generated by packets that have been tagged
using the TRACE target.
.TP
+\fB\-0\fP, \fB--arp\fP
+Restrict output to ARP (i.e., events caused by arptables-nft).
+.TP
+\fB\-1\fP, \fB--bridge\fP
+Restrict output to bridge (i.e., events caused by ebtables-nft).
+.TP
\fB\-4\fP, \fB--ipv4\fP
-Restrict output to IPv4.
+Restrict output to IPv4 (i.e., events caused by iptables-nft).
.TP
\fB\-6\fP, \fB--ipv6\fP
-Restrict output to IPv6.
+Restrict output to IPv6 (i.e., events caused by ip6tables-nft).
.SH EXAMPLE OUTPUT
.TP
.B xtables-monitor \-\-trace
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 02e8e446b1c8c..9be8ce9de6b5f 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -101,6 +101,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
case NFPROTO_ARP:
printf("-0 ");
break;
+ case NFPROTO_BRIDGE:
+ printf("-1 ");
+ break;
default:
goto err_free;
}
@@ -139,6 +142,12 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
printf(" EVENT: ");
switch (family) {
+ case NFPROTO_ARP:
+ family = 0;
+ break;
+ case NFPROTO_BRIDGE:
+ family = 1;
+ break;
case NFPROTO_IPV4:
family = 4;
break;
@@ -565,6 +574,8 @@ static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "trace", .has_arg = false, .val = 't'},
{.name = "event", .has_arg = false, .val = 'e'},
+ {.name = "arp", .has_arg = false, .val = '0'},
+ {.name = "bridge", .has_arg = false, .val = '1'},
{.name = "ipv4", .has_arg = false, .val = '4'},
{.name = "ipv6", .has_arg = false, .val = '6'},
{.name = "version", .has_arg = false, .val = 'V'},
@@ -580,6 +591,8 @@ static void print_usage(void)
" --trace -t trace ruleset traversal of packets tagged via -j TRACE rule\n"
" --event -e show events that modify the ruleset\n"
"Optional arguments:\n"
+ " --arp -0 only monitor ARP\n"
+ " --bridge -1 only monitor bridge\n"
" --ipv4 -4 only monitor IPv4\n"
" --ipv6 -6 only monitor IPv6\n"
" --counters -c show counters in rules\n"
@@ -591,7 +604,7 @@ static void print_usage(void)
static void set_nfproto(struct cb_arg *arg, uint32_t val)
{
if (arg->nfproto != NFPROTO_UNSPEC && arg->nfproto != val) {
- fprintf(stderr, "Only one of '-4' or '-6' may be specified at once.\n\n");
+ fprintf(stderr, "Only one of '-0', '-1', '-4' or '-6' may be specified at once.\n\n");
print_usage();
exit(PARAMETER_PROBLEM);
}
@@ -621,8 +634,14 @@ int xtables_monitor_main(int argc, char *argv[])
#endif
opterr = 0;
- while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "ceht0146V", options, NULL)) != -1) {
switch (c) {
+ case '0':
+ set_nfproto(&cb_arg, NFPROTO_ARP);
+ break;
+ case '1':
+ set_nfproto(&cb_arg, NFPROTO_BRIDGE);
+ break;
case 'c':
counters = true;
break;
--
2.22.0
