xshared: Extend xtables_printhelp() for arptables

The function checks afinfo->family already to cover ip6tables specifics,
doing the same for arptables does not make things much worse.

This changes arptables-nft help output slightly:

* List possible negations extrapositioned, which is preferred anyway
  (arptables-nft supports both)
* List --out-interface option at lexically sorted position
* Print --wait option, it's ignored just like with iptables
* Restore default target option printing as with legacy arptables (not
  sure if arptables-nft ever did this) by explicitly loading them.

While being at it, add --set-counters short option '-c' to help output
for ip(6)tables.

This effectively removes the need for (and all users of)
xtables_global's 'print_help' callback, thus effectively reverts commit
fe83b12fc910e ("libxtables: Introduce xtables_globals print_help
callback") which broke libxtables' ABI compatibility.

Signed-off-by: Phil Sutter <phil@nwl.cc>

1 files changed, 43 insertions, 10 deletions

diff --git a/iptables/xshared.c b/iptables/xshared.c
index 674b49cb..e959f203 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1156,7 +1156,7 @@ int print_match_save(const struct xt_entry_match *e, const void *ip)
 	return 0;
 }
 
-void
+static void
 xtables_printhelp(const struct xtables_rule_match *matches)
 {
 	const char *prog_name = xt_params->program_name;
@@ -1203,23 +1203,40 @@ xtables_printhelp(const struct xtables_rule_match *matches)
 "				Change policy on chain to target\n"
 "  --rename-chain\n"
 "            -E old-chain new-chain\n"
-"				Change chain name, (moving any references)\n");
+"				Change chain name, (moving any references)\n"
+"\n"
+"Options:\n");
 
-	printf(
-"Options:\n"
+	if (afinfo->family == NFPROTO_ARP) {
+		printf(
+"[!] --source-ip	-s address[/mask]\n"
+"				source specification\n"
+"[!] --destination-ip -d address[/mask]\n"
+"				destination specification\n"
+"[!] --source-mac address[/mask]\n"
+"[!] --destination-mac address[/mask]\n"
+"    --h-length   -l   length[/mask] hardware length (nr of bytes)\n"
+"    --opcode code[/mask] operation code (2 bytes)\n"
+"    --h-type   type[/mask]  hardware type (2 bytes, hexadecimal)\n"
+"    --proto-type   type[/mask]  protocol type (2 bytes)\n");
+	} else {
+		printf(
 "    --ipv4	-4		%s (line is ignored by ip6tables-restore)\n"
 "    --ipv6	-6		%s (line is ignored by iptables-restore)\n"
 "[!] --protocol	-p proto	protocol: by number or name, eg. `tcp'\n"
 "[!] --source	-s address[/mask][...]\n"
 "				source specification\n"
 "[!] --destination -d address[/mask][...]\n"
-"				destination specification\n"
+"				destination specification\n",
+		afinfo->family == NFPROTO_IPV4 ? "Nothing" : "Error",
+		afinfo->family == NFPROTO_IPV4 ? "Error" : "Nothing");
+	}
+
+	printf(
 "[!] --in-interface -i input name[+]\n"
 "				network interface name ([+] for wildcard)\n"
 " --jump	-j target\n"
-"				target for rule (may load target extension)\n",
-	afinfo->family == NFPROTO_IPV4 ? "Nothing" : "Error",
-	afinfo->family == NFPROTO_IPV4 ? "Error" : "Nothing");
+"				target for rule (may load target extension)\n");
 
 	if (0
 #ifdef IPT_F_GOTO
@@ -1250,9 +1267,25 @@ xtables_printhelp(const struct xtables_rule_match *matches)
 
 	printf(
 "  --modprobe=<command>		try to insert modules using this command\n"
-"  --set-counters PKTS BYTES	set the counter during insert/append\n"
+"  --set-counters -c PKTS BYTES	set the counter during insert/append\n"
 "[!] --version	-V		print package version.\n");
 
+	if (afinfo->family == NFPROTO_ARP) {
+		int i;
+
+		printf(" opcode strings: \n");
+		for (i = 0; i < ARP_NUMOPCODES; i++)
+			printf(" %d = %s\n", i + 1, arp_opcodes[i]);
+		printf(
+	" hardware type string: 1 = Ethernet\n"
+	" protocol type string: 0x800 = IPv4\n");
+
+		xtables_find_target("standard", XTF_TRY_LOAD);
+		xtables_find_target("mangle", XTF_TRY_LOAD);
+		xtables_find_target("CLASSIFY", XTF_TRY_LOAD);
+		xtables_find_target("MARK", XTF_TRY_LOAD);
+	}
+
 	print_extension_helps(xtables_targets, matches);
 }
 
@@ -1475,7 +1508,7 @@ void do_parse(int argc, char *argv[],
 				xtables_find_match(cs->protocol,
 					XTF_TRY_LOAD, &cs->matches);
 
-			xt_params->print_help(cs->matches);
+			xtables_printhelp(cs->matches);
 			exit(0);
 
 			/*