diff options
| author | Phil Sutter <phil@nwl.cc> | 2020-08-07 16:42:07 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2020-08-14 09:01:57 +0200 |
| commit | ca69b0290dc509d72118f0a054a5c740cb913875 (patch) | |
| tree | e0534b9e54ad1391d31b7dfc36a26079c0fb58a6 | |
| parent | cd3e83d1b04fd2683f0fb06e496ee5be08a96b4f (diff) | |
xtables-monitor: Fix ip6tables rule printing
When printing an ip6tables rule event, false family ops are used as they
are initially looked up for AF_INET and reused no matter the current
rule's family. In practice, this means that nft_rule_print_save() calls
the wrong rule_to_cs, save_rule and clear_cs callbacks. Therefore, if a
rule specifies a source or destination address, the address is not
printed.
Fix this by performing a family lookup each time rule_cb is called.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | iptables/xtables-monitor.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 57def83e..4008cc00 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -93,6 +93,8 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) if (arg->nfproto && arg->nfproto != family) goto err_free; + arg->h->ops = nft_family_ops_lookup(family); + if (arg->is_event) printf(" EVENT: "); switch (family) { |