diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-04 16:21:18 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-02-04 16:28:33 +0100 |
commit | 4cffe00557b40dfe8c3236746797b24c4074c95e (patch) | |
tree | a2be509af0df42e3d4050a03c1f19fa69c6c36af /iptables/xtables-save.c | |
parent | 43bb2819c5b7b783cbaceffd0e6d4b6e502a0fb5 (diff) |
xtables: add xtables-compat-multi for the nftables compatibility layer
This patch should allow distributors to switch to the iptables over
nftables compatibility layer in a transparent way by updating
symbolic links from:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-multi
to:
lrwxrwxrwx 1 root root 13 feb 4 15:35 iptables -> xtables-compat-multi
Same thing with iptables-save, iptables-restore, ip6tables, ip6tables-save,
ip6tables-restore and arptables.
Note that, after this patch, the following new symlinks are installed:
* iptables-compat
* iptables-compat-save
* iptables-compat-restore
* ip6tables-compat
* ip6tables-compat-save
* ip6tables-compat-restore
* arptables-compat
which point to the new binary xtables-compat-multi.
The idea is to keep both native and compatibility tools installed in the
system, which should also make it easier for testing purposes.
The iptables over nftables compatibility layer is enabled by default
and it requires the libmnl and libnftnl libraries. If you don't want to
compile the compatibility layer, you can still disable it through
--disable-nftables.
This patch also includes changes to adapt the existing code to this
approach.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables-save.c')
-rw-r--r-- | iptables/xtables-save.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index 77eab149..93065cfc 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -74,17 +74,17 @@ do_output(struct nft_handle *h, const char *tablename, bool counters) * :Chain name POLICY packets bytes * rule */ -int -xtables_save_main(int argc, char *argv[]) +static int +xtables_save_main(int family, const char *progname, int argc, char *argv[]) { const char *tablename = NULL; bool dump = false; struct nft_handle h = { - .family = AF_INET, /* default to AF_INET */ + .family = family, }; int c; - xtables_globals.program_name = "xtables-save"; + xtables_globals.program_name = progname; /* XXX xtables_init_all does several things we don't want */ c = xtables_init_all(&xtables_globals, NFPROTO_IPV4); if (c < 0) { @@ -143,3 +143,13 @@ xtables_save_main(int argc, char *argv[]) return !do_output(&h, tablename, show_counters); } + +int xtables_ip4_save_main(int argc, char *argv[]) +{ + return xtables_save_main(NFPROTO_IPV4, "iptables-save", argc, argv); +} + +int xtables_ip6_save_main(int argc, char *argv[]) +{ + return xtables_save_main(NFPROTO_IPV6, "ip6tables-save", argc, argv); +} |