From 20eac2ad174e43a3d4a4275c3d44f99c12bd04b9 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 19 Jun 2018 12:02:24 +0200 Subject: xtables: warn in case old-style (set/getsockopt) tables exist Provide a hint that iptables isn't showing all rules because its using nfnetlink rather than old set/getsockopt. Signed-off-by: Florian Westphal --- iptables/nft-shared.c | 29 +++++++++++++++++++++++++++++ iptables/nft-shared.h | 1 + iptables/xtables-save.c | 20 +++++++++++++++++--- iptables/xtables.c | 2 ++ 4 files changed, 49 insertions(+), 3 deletions(-) diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index b89a3e7b..ed0d0ee9 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -904,3 +904,32 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops, return true; } + +void nft_check_xt_legacy(int family, bool is_ipt_save) +{ + static const char tables6[] = "/proc/net/ip6_tables_names"; + static const char tables4[] = "/proc/net/ip_tables_names"; + const char *prefix = "ip"; + FILE *fp = NULL; + char buf[1024]; + + switch (family) { + case NFPROTO_IPV4: + fp = fopen(tables4, "r"); + break; + case NFPROTO_IPV6: + fp = fopen(tables6, "r"); + prefix = "ip6"; + break; + default: + break; + } + + if (!fp) + return; + + if (fgets(buf, sizeof(buf), fp)) + fprintf(stderr, "# Warning: %stables-legacy tables present, use %stables-legacy%s to see them\n", + prefix, prefix, is_ipt_save ? "-save" : ""); + fclose(fp); +} diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 0108b7f9..6d04b1a4 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -270,4 +270,5 @@ void xtables_restore_parse(struct nft_handle *h, struct nft_xt_restore_cb *cb, int argc, char *argv[]); +void nft_check_xt_legacy(int family, bool is_ipt_save); #endif diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index 1652fbbc..c19c9991 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -44,12 +44,10 @@ static const struct option options[] = { }; static int -do_output(struct nft_handle *h, const char *tablename, bool counters) +__do_output(struct nft_handle *h, const char *tablename, bool counters) { struct nftnl_chain_list *chain_list; - if (!tablename) - return nft_for_each_table(h, do_output, counters) ? 1 : 0; if (!nft_table_find(h, tablename)) { printf("Table `%s' does not exist\n", tablename); @@ -80,6 +78,22 @@ do_output(struct nft_handle *h, const char *tablename, bool counters) return 0; } +static int +do_output(struct nft_handle *h, const char *tablename, bool counters) +{ + int ret; + + if (!tablename) { + ret = nft_for_each_table(h, __do_output, counters); + nft_check_xt_legacy(h->family, true); + return !!ret; + } + + ret = __do_output(h, tablename, counters); + nft_check_xt_legacy(h->family, true); + return ret; +} + /* Format: * :Chain name POLICY packets bytes * rule diff --git a/iptables/xtables.c b/iptables/xtables.c index e03e8f31..53f94b6f 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1238,6 +1238,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, ret = nft_rule_zero_counters(h, p.chain, p.table, p.rulenum - 1); } + nft_check_xt_legacy(h->family, false); break; case CMD_LIST_RULES: case CMD_LIST_RULES|CMD_ZERO: @@ -1252,6 +1253,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, ret = nft_rule_zero_counters(h, p.chain, p.table, p.rulenum - 1); } + nft_check_xt_legacy(h->family, false); break; case CMD_NEW_CHAIN: ret = nft_chain_user_add(h, p.chain, p.table); -- cgit v1.2.3