From 528cbf99ff6062420270e637df4d40a77514fe56 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 7 Aug 2018 12:29:35 +0200 Subject: xtables: Fix for wrong counter format in -S output Legacy iptables uses '-c PCNT BCNT' format in listed rules, nft-variant used '[PCNT BCNT]' prefix like with iptables-save. In order to pass the counter format preference along, FMT_C_COUNTS is introduced and related 'format' checks adjusted. Since legacy iptables prints the counters between matches and target, this change affects save_matches_and_target() function. In order to get access to the rule counters, it's declaration is adjusted to receive iptables_command_state pointer instead of match, target and jumpto pointers from the same object. While being at it, integrate jump to user-defined chain into it as well since the related code in both callers was almost identical. Though since different rule flags are used between iptables and ip6tables, pass a 'goto_flag' boolean instead of the actual 'flags' bitfield. Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal --- iptables/nft-shared.c | 29 +++++++++++++++++++---------- 1 file changed, 19 insertions(+), 10 deletions(-) (limited to 'iptables/nft-shared.c') diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 66db7ed1..5b55c7c0 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -813,13 +813,13 @@ void nft_ipv46_save_chain(const struct nftnl_chain *c, const char *policy) chain, policy ?: "-", pkts, bytes); } -void save_matches_and_target(struct xtables_rule_match *m, - struct xtables_target *target, - const char *jumpto, uint8_t flags, const void *fw) +void save_matches_and_target(const struct iptables_command_state *cs, + bool goto_flag, const void *fw, + unsigned int format) { struct xtables_rule_match *matchp; - for (matchp = m; matchp; matchp = matchp->next) { + for (matchp = cs->matches; matchp; matchp = matchp->next) { if (matchp->match->alias) { printf("-m %s", matchp->match->alias(matchp->match->m)); @@ -833,15 +833,24 @@ void save_matches_and_target(struct xtables_rule_match *m, printf(" "); } - if (target != NULL) { - if (target->alias) { - printf("-j %s", target->alias(target->t)); + if ((format & (FMT_NOCOUNTS | FMT_C_COUNTS)) == FMT_C_COUNTS) + printf("-c %llu %llu ", + (unsigned long long)cs->counters.pcnt, + (unsigned long long)cs->counters.bcnt); + + if (cs->target != NULL) { + if (cs->target->alias) { + printf("-j %s", cs->target->alias(cs->target->t)); } else - printf("-j %s", jumpto); + printf("-j %s", cs->jumpto); - if (target->save != NULL) - target->save(fw, target->t); + if (cs->target->save != NULL) + cs->target->save(fw, cs->target->t); + } else if (strlen(cs->jumpto) > 0) { + printf("-%c %s", goto_flag ? 'g' : 'j', cs->jumpto); } + + printf("\n"); } void print_matches_and_target(struct iptables_command_state *cs, -- cgit v1.2.3