From 20eac2ad174e43a3d4a4275c3d44f99c12bd04b9 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Tue, 19 Jun 2018 12:02:24 +0200
Subject: xtables: warn in case old-style (set/getsockopt) tables exist

Provide a hint that iptables isn't showing all rules because
its using nfnetlink rather than old set/getsockopt.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 iptables/nft-shared.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

(limited to 'iptables/nft-shared.c')

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b89a3e7b..ed0d0ee9 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -904,3 +904,32 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
 
 	return true;
 }
+
+void nft_check_xt_legacy(int family, bool is_ipt_save)
+{
+	static const char tables6[] = "/proc/net/ip6_tables_names";
+	static const char tables4[] = "/proc/net/ip_tables_names";
+	const char *prefix = "ip";
+	FILE *fp = NULL;
+	char buf[1024];
+
+	switch (family) {
+	case NFPROTO_IPV4:
+		fp = fopen(tables4, "r");
+		break;
+	case NFPROTO_IPV6:
+		fp = fopen(tables6, "r");
+		prefix = "ip6";
+		break;
+	default:
+		break;
+	}
+
+	if (!fp)
+		return;
+
+	if (fgets(buf, sizeof(buf), fp))
+		fprintf(stderr, "# Warning: %stables-legacy tables present, use %stables-legacy%s to see them\n",
+			prefix, prefix, is_ipt_save ? "-save" : "");
+	fclose(fp);
+}
-- 
cgit v1.2.3