xtables: warn in case old-style (set/getsockopt) tables exist

Provide a hint that iptables isn't showing all rules because its using nfnetlink rather than old set/getsockopt. Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2018-06-19 12:02:24 +0200
committer: Florian Westphal <fw@strlen.de> 2018-06-25 11:50:51 +0200
commit: 20eac2ad174e43a3d4a4275c3d44f99c12bd04b9 (patch)
tree: f6f38ec4b33f55394d7930532bdcde7feb3cbed8 /iptables/nft-shared.c
parent: c9f5e18d72d3a010e9a53024290f9f4802ada9fd (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b89a3e7b..ed0d0ee9 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -904,3 +904,32 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
 
 	return true;
 }
+
+void nft_check_xt_legacy(int family, bool is_ipt_save)
+{
+	static const char tables6[] = "/proc/net/ip6_tables_names";
+	static const char tables4[] = "/proc/net/ip_tables_names";
+	const char *prefix = "ip";
+	FILE *fp = NULL;
+	char buf[1024];
+
+	switch (family) {
+	case NFPROTO_IPV4:
+		fp = fopen(tables4, "r");
+		break;
+	case NFPROTO_IPV6:
+		fp = fopen(tables6, "r");
+		prefix = "ip6";
+		break;
+	default:
+		break;
+	}
+
+	if (!fp)
+		return;
+
+	if (fgets(buf, sizeof(buf), fp))
+		fprintf(stderr, "# Warning: %stables-legacy tables present, use %stables-legacy%s to see them\n",
+			prefix, prefix, is_ipt_save ? "-save" : "");
+	fclose(fp);
+}
author	Florian Westphal <fw@strlen.de>	2018-06-19 12:02:24 +0200
committer	Florian Westphal <fw@strlen.de>	2018-06-25 11:50:51 +0200
commit	20eac2ad174e43a3d4a4275c3d44f99c12bd04b9 (patch)
tree	f6f38ec4b33f55394d7930532bdcde7feb3cbed8 /iptables/nft-shared.c
parent	c9f5e18d72d3a010e9a53024290f9f4802ada9fd (diff)