diff options
| -rw-r--r-- | iptables/nft-arp.c | 40 | ||||
| -rw-r--r-- | iptables/nft-arp.h | 10 | ||||
| -rw-r--r-- | iptables/nft-shared.c | 27 | ||||
| -rw-r--r-- | iptables/nft-shared.h | 3 | ||||
| -rw-r--r-- | iptables/xshared.h | 2 | ||||
| -rw-r--r-- | iptables/xtables-arp.c | 110 | ||||
| -rw-r--r-- | iptables/xtables-monitor.c | 8 |
7 files changed, 88 insertions, 112 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 4eacc61b..7b70ef22 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -139,8 +139,8 @@ static void print_mac_and_mask(const unsigned char *mac, const unsigned char *ma static int nft_arp_add(struct nftnl_rule *r, void *data) { - struct arptables_command_state *cs = data; - struct arpt_entry *fw = &cs->fw; + struct iptables_command_state *cs = data; + struct arpt_entry *fw = &cs->arp; uint32_t op; int ret = 0; @@ -260,8 +260,8 @@ static uint16_t ipt_to_arpt_flags(uint8_t invflags) static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data) { - struct arptables_command_state *cs = data; - struct arpt_entry *fw = &cs->fw; + struct iptables_command_state *cs = data; + struct arpt_entry *fw = &cs->arp; uint8_t flags = 0; parse_meta(e, ctx->meta.key, fw->arp.iniface, fw->arp.iniface_mask, @@ -273,7 +273,7 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, static void nft_arp_parse_target(struct xtables_target *target, void *data) { - struct arptables_command_state *cs = data; + struct iptables_command_state *cs = data; cs->target = target; } @@ -281,7 +281,7 @@ static void nft_arp_parse_target(struct xtables_target *target, void *data) static void nft_arp_parse_immediate(const char *jumpto, bool nft_goto, void *data) { - struct arptables_command_state *cs = data; + struct iptables_command_state *cs = data; cs->jumpto = jumpto; } @@ -294,8 +294,8 @@ static void parse_mask_ipv4(struct nft_xt_ctx *ctx, struct in_addr *mask) static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e, void *data) { - struct arptables_command_state *cs = data; - struct arpt_entry *fw = &cs->fw; + struct iptables_command_state *cs = data; + struct arpt_entry *fw = &cs->arp; struct in_addr addr; unsigned short int ar_hrd, ar_pro, ar_op, ar_hln; bool inv; @@ -365,14 +365,14 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx, } } -void nft_rule_to_arptables_command_state(struct nftnl_rule *r, - struct arptables_command_state *cs) +void nft_rule_to_arptables_command_state(const struct nftnl_rule *r, + struct iptables_command_state *cs) { struct nftnl_expr_iter *iter; struct nftnl_expr *expr; int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY); struct nft_xt_ctx ctx = { - .state.cs_arp = cs, + .state.cs = cs, .family = family, }; @@ -387,7 +387,7 @@ void nft_rule_to_arptables_command_state(struct nftnl_rule *r, nftnl_expr_get_str(expr, NFTNL_EXPR_NAME); if (strcmp(name, "counter") == 0) - nft_parse_counter(expr, &ctx.state.cs_arp->fw.counters); + nft_parse_counter(expr, &ctx.state.cs->arp.counters); else if (strcmp(name, "payload") == 0) nft_parse_payload(&ctx, expr); else if (strcmp(name, "meta") == 0) @@ -581,27 +581,27 @@ static void nft_arp_print_firewall(struct nftnl_rule *r, unsigned int num, unsigned int format) { - struct arptables_command_state cs = {}; + struct iptables_command_state cs = {}; nft_rule_to_arptables_command_state(r, &cs); if (format & FMT_LINENUMBERS) printf("%u ", num); - print_fw_details(&cs.fw, format); + print_fw_details(&cs.arp, format); if (cs.jumpto != NULL && strcmp(cs.jumpto, "") != 0) { printf("-j %s", cs.jumpto); } else if (cs.target) { printf("-j %s", cs.target->name); - cs.target->print(&cs.fw, cs.target->t, format & FMT_NUMERIC); + cs.target->print(&cs.arp, cs.target->t, format & FMT_NUMERIC); } if (!(format & FMT_NOCOUNTS)) { printf(", pcnt="); - xtables_print_num(cs.fw.counters.pcnt, format); + xtables_print_num(cs.arp.counters.pcnt, format); printf("-- bcnt="); - xtables_print_num(cs.fw.counters.bcnt, format); + xtables_print_num(cs.arp.counters.bcnt, format); } if (!(format & FMT_NONEWLINE)) @@ -637,13 +637,13 @@ static bool nft_arp_is_same(const void *data_a, static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r, void *data) { - const struct arptables_command_state *cs = data; - struct arptables_command_state this = {}; + const struct iptables_command_state *cs = data; + struct iptables_command_state this = {}; /* Delete by matching rule case */ nft_rule_to_arptables_command_state(r, &this); - if (!nft_arp_is_same(cs, &this)) + if (!nft_arp_is_same(&cs->arp, &this.arp)) return false; if (!compare_targets(cs->target, this.target)) diff --git a/iptables/nft-arp.h b/iptables/nft-arp.h index 05889b49..e33bb748 100644 --- a/iptables/nft-arp.h +++ b/iptables/nft-arp.h @@ -4,13 +4,7 @@ extern char *opcodes[]; #define NUMOPCODES 9 -struct arptables_command_state { - struct arpt_entry fw; - struct xtables_target *target; - const char *jumpto; -}; - -void nft_rule_to_arptables_command_state(struct nftnl_rule *r, - struct arptables_command_state *cs); +void nft_rule_to_arptables_command_state(const struct nftnl_rule *r, + struct iptables_command_state *cs); #endif diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index eb2af851..0ff07bf3 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -294,21 +294,6 @@ int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, return 0; } -static void *nft_get_data(struct nft_xt_ctx *ctx) -{ - switch(ctx->family) { - case NFPROTO_IPV4: - case NFPROTO_IPV6: - case NFPROTO_BRIDGE: - return ctx->state.cs; - case NFPROTO_ARP: - return ctx->state.cs_arp; - default: - /* Should not happen */ - return NULL; - } -} - void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { uint32_t tg_len; @@ -318,7 +303,7 @@ void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e) struct xt_entry_target *t; size_t size; struct nft_family_ops *ops; - void *data = nft_get_data(ctx); + void *data = ctx->state.cs; target = xtables_find_target(targname, XTF_TRY_LOAD); if (target == NULL) @@ -383,7 +368,7 @@ void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e) ops = nft_family_ops_lookup(ctx->family); if (ops->parse_match != NULL) - ops->parse_match(match, nft_get_data(ctx)); + ops->parse_match(match, ctx->state.cs); } void print_proto(uint16_t proto, int invert) @@ -446,7 +431,7 @@ static void nft_meta_set_to_target(struct nft_xt_ctx *ctx) target->t = t; ops = nft_family_ops_lookup(ctx->family); - ops->parse_target(target, nft_get_data(ctx)); + ops->parse_target(target, ctx->state.cs); } void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e) @@ -491,7 +476,7 @@ void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e) void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e) { struct nft_family_ops *ops = nft_family_ops_lookup(ctx->family); - void *data = nft_get_data(ctx); + void *data = ctx->state.cs; uint32_t reg; reg = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_SREG); @@ -521,7 +506,7 @@ void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) struct nft_family_ops *ops; const char *jumpto = NULL; bool nft_goto = false; - void *data = nft_get_data(ctx); + void *data = ctx->state.cs; int verdict; if (nftnl_expr_is_set(e, NFTNL_EXPR_IMM_DATA)) { @@ -563,7 +548,7 @@ void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) ops->parse_immediate(jumpto, nft_goto, data); } -void nft_rule_to_iptables_command_state(struct nftnl_rule *r, +void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, struct iptables_command_state *cs) { struct nftnl_expr_iter *iter; diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index d74eeb00..18927a29 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -49,7 +49,6 @@ enum { struct nft_xt_ctx { union { struct iptables_command_state *cs; - struct arptables_command_state *cs_arp; } state; struct nftnl_expr_iter *iter; int family; @@ -145,7 +144,7 @@ void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e); void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e); void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters); void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e); -void nft_rule_to_iptables_command_state(struct nftnl_rule *r, +void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, struct iptables_command_state *cs); void print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, bool basechain, diff --git a/iptables/xshared.h b/iptables/xshared.h index 01c0eb12..533c5268 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -6,6 +6,7 @@ #include <stdint.h> #include <netinet/in.h> #include <net/if.h> +#include <linux/netfilter_arp/arp_tables.h> #include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv6/ip6_tables.h> @@ -83,6 +84,7 @@ struct iptables_command_state { struct ebt_entry eb; struct ipt_entry fw; struct ip6t_entry fw6; + struct arpt_entry arp; }; int invert; int c; diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index ffe47786..ce9e618b 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -862,7 +862,7 @@ static int append_entry(struct nft_handle *h, const char *chain, const char *table, - struct arptables_command_state *cs, + struct iptables_command_state *cs, int rulenum, unsigned int nsaddrs, const struct in_addr saddrs[], @@ -874,9 +874,9 @@ append_entry(struct nft_handle *h, int ret = 1; for (i = 0; i < nsaddrs; i++) { - cs->fw.arp.src.s_addr = saddrs[i].s_addr; + cs->arp.arp.src.s_addr = saddrs[i].s_addr; for (j = 0; j < ndaddrs; j++) { - cs->fw.arp.tgt.s_addr = daddrs[j].s_addr; + cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; if (append) { ret = nft_rule_append(h, chain, table, cs, 0, verbose); @@ -893,14 +893,14 @@ append_entry(struct nft_handle *h, static int replace_entry(const char *chain, const char *table, - struct arptables_command_state *cs, + struct iptables_command_state *cs, unsigned int rulenum, const struct in_addr *saddr, const struct in_addr *daddr, bool verbose, struct nft_handle *h) { - cs->fw.arp.src.s_addr = saddr->s_addr; - cs->fw.arp.tgt.s_addr = daddr->s_addr; + cs->arp.arp.src.s_addr = saddr->s_addr; + cs->arp.arp.tgt.s_addr = daddr->s_addr; return nft_rule_replace(h, chain, table, cs, rulenum, verbose); } @@ -908,7 +908,7 @@ replace_entry(const char *chain, static int delete_entry(const char *chain, const char *table, - struct arptables_command_state *cs, + struct iptables_command_state *cs, unsigned int nsaddrs, const struct in_addr saddrs[], unsigned int ndaddrs, @@ -919,9 +919,9 @@ delete_entry(const char *chain, int ret = 1; for (i = 0; i < nsaddrs; i++) { - cs->fw.arp.src.s_addr = saddrs[i].s_addr; + cs->arp.arp.src.s_addr = saddrs[i].s_addr; for (j = 0; j < ndaddrs; j++) { - cs->fw.arp.tgt.s_addr = daddrs[j].s_addr; + cs->arp.arp.tgt.s_addr = daddrs[j].s_addr; ret = nft_rule_delete(h, chain, table, cs, verbose); } } @@ -931,7 +931,7 @@ delete_entry(const char *chain, int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) { - struct arptables_command_state cs = { + struct iptables_command_state cs = { .jumpto = "", }; int invert = 0; @@ -1088,47 +1088,47 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) break; case 's': check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_S_IP, &cs.fw.arp.invflags, + set_option(&options, OPT_S_IP, &cs.arp.arp.invflags, invert); shostnetworkmask = argv[optind-1]; break; case 'd': check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_D_IP, &cs.fw.arp.invflags, + set_option(&options, OPT_D_IP, &cs.arp.arp.invflags, invert); dhostnetworkmask = argv[optind-1]; break; case 2:/* src-mac */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_S_MAC, &cs.fw.arp.invflags, + set_option(&options, OPT_S_MAC, &cs.arp.arp.invflags, invert); if (getmac_and_mask(argv[optind - 1], - cs.fw.arp.src_devaddr.addr, cs.fw.arp.src_devaddr.mask)) + cs.arp.arp.src_devaddr.addr, cs.arp.arp.src_devaddr.mask)) xtables_error(PARAMETER_PROBLEM, "Problem with specified " "source mac"); break; case 3:/* dst-mac */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_D_MAC, &cs.fw.arp.invflags, + set_option(&options, OPT_D_MAC, &cs.arp.arp.invflags, invert); if (getmac_and_mask(argv[optind - 1], - cs.fw.arp.tgt_devaddr.addr, cs.fw.arp.tgt_devaddr.mask)) + cs.arp.arp.tgt_devaddr.addr, cs.arp.arp.tgt_devaddr.mask)) xtables_error(PARAMETER_PROBLEM, "Problem with specified " "destination mac"); break; case 'l':/* hardware length */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_LENGTH, &cs.fw.arp.invflags, + set_option(&options, OPT_H_LENGTH, &cs.arp.arp.invflags, invert); - getlength_and_mask(argv[optind - 1], &cs.fw.arp.arhln, - &cs.fw.arp.arhln_mask); + getlength_and_mask(argv[optind - 1], &cs.arp.arp.arhln, + &cs.arp.arp.arhln_mask); - if (cs.fw.arp.arhln != 6) { + if (cs.arp.arp.arhln != 6) { xtables_error(PARAMETER_PROBLEM, "Only harware address length of" " 6 is supported currently."); @@ -1140,20 +1140,20 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) xtables_error(PARAMETER_PROBLEM, "not supported"); /* check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_P_LENGTH, &cs.fw.arp.invflags, + set_option(&options, OPT_P_LENGTH, &cs.arp.arp.invflags, invert); - getlength_and_mask(argv[optind - 1], &cs.fw.arp.arpln, - &cs.fw.arp.arpln_mask); + getlength_and_mask(argv[optind - 1], &cs.arp.arp.arpln, + &cs.arp.arp.arpln_mask); break; */ case 4:/* opcode */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_OPCODE, &cs.fw.arp.invflags, + set_option(&options, OPT_OPCODE, &cs.arp.arp.invflags, invert); - if (get16_and_mask(argv[optind - 1], &cs.fw.arp.arpop, - &cs.fw.arp.arpop_mask, 10)) { + if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpop, + &cs.arp.arp.arpop_mask, 10)) { int i; for (i = 0; i < NUMOPCODES; i++) @@ -1161,65 +1161,65 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) break; if (i == NUMOPCODES) xtables_error(PARAMETER_PROBLEM, "Problem with specified opcode"); - cs.fw.arp.arpop = htons(i+1); + cs.arp.arp.arpop = htons(i+1); } break; case 5:/* h-type */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_H_TYPE, &cs.fw.arp.invflags, + set_option(&options, OPT_H_TYPE, &cs.arp.arp.invflags, invert); - if (get16_and_mask(argv[optind - 1], &cs.fw.arp.arhrd, - &cs.fw.arp.arhrd_mask, 16)) { + if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arhrd, + &cs.arp.arp.arhrd_mask, 16)) { if (strcasecmp(argv[optind-1], "Ethernet")) xtables_error(PARAMETER_PROBLEM, "Problem with specified hardware type"); - cs.fw.arp.arhrd = htons(1); + cs.arp.arp.arhrd = htons(1); } break; case 6:/* proto-type */ check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_P_TYPE, &cs.fw.arp.invflags, + set_option(&options, OPT_P_TYPE, &cs.arp.arp.invflags, invert); - if (get16_and_mask(argv[optind - 1], &cs.fw.arp.arpro, - &cs.fw.arp.arpro_mask, 0)) { + if (get16_and_mask(argv[optind - 1], &cs.arp.arp.arpro, + &cs.arp.arp.arpro_mask, 0)) { if (strcasecmp(argv[optind-1], "ipv4")) xtables_error(PARAMETER_PROBLEM, "Problem with specified protocol type"); - cs.fw.arp.arpro = htons(0x800); + cs.arp.arp.arpro = htons(0x800); } break; case 'j': - set_option(&options, OPT_JUMP, &cs.fw.arp.invflags, + set_option(&options, OPT_JUMP, &cs.arp.arp.invflags, invert); cs.jumpto = parse_target(optarg); - cs.target = command_jump(&cs.fw, cs.jumpto); + cs.target = command_jump(&cs.arp, cs.jumpto); break; case 'i': check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEIN, &cs.fw.arp.invflags, + set_option(&options, OPT_VIANAMEIN, &cs.arp.arp.invflags, invert); parse_interface(argv[optind-1], - cs.fw.arp.iniface, - cs.fw.arp.iniface_mask); -/* cs.fw.nfcache |= NFC_IP_IF_IN; */ + cs.arp.arp.iniface, + cs.arp.arp.iniface_mask); +/* cs.arp.nfcache |= NFC_IP_IF_IN; */ break; case 'o': check_inverse(optarg, &invert, &optind, argc); - set_option(&options, OPT_VIANAMEOUT, &cs.fw.arp.invflags, + set_option(&options, OPT_VIANAMEOUT, &cs.arp.arp.invflags, invert); parse_interface(argv[optind-1], - cs.fw.arp.outiface, - cs.fw.arp.outiface_mask); - /* cs.fw.nfcache |= NFC_IP_IF_OUT; */ + cs.arp.arp.outiface, + cs.arp.arp.outiface_mask); + /* cs.arp.nfcache |= NFC_IP_IF_OUT; */ break; case 'v': if (!verbose) set_option(&options, OPT_VERBOSE, - &cs.fw.arp.invflags, invert); + &cs.arp.arp.invflags, invert); verbose++; break; @@ -1242,7 +1242,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) break; case 'n': - set_option(&options, OPT_NUMERIC, &cs.fw.arp.invflags, + set_option(&options, OPT_NUMERIC, &cs.arp.arp.invflags, invert); break; @@ -1262,7 +1262,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) exit(0); case '0': - set_option(&options, OPT_LINENUMBERS, &cs.fw.arp.invflags, + set_option(&options, OPT_LINENUMBERS, &cs.arp.arp.invflags, invert); break; @@ -1272,7 +1272,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) case 'c': - set_option(&options, OPT_COUNTERS, &cs.fw.arp.invflags, + set_option(&options, OPT_COUNTERS, &cs.arp.arp.invflags, invert); pcnt = optarg; if (xs_has_arg(argc, argv)) @@ -1282,12 +1282,12 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) "-%c requires packet and byte counter", opt2char(OPT_COUNTERS)); - if (sscanf(pcnt, "%llu", &cs.fw.counters.pcnt) != 1) + if (sscanf(pcnt, "%llu", &cs.arp.counters.pcnt) != 1) xtables_error(PARAMETER_PROBLEM, "-%c packet counter not numeric", opt2char(OPT_COUNTERS)); - if (sscanf(bcnt, "%llu", &cs.fw.counters.bcnt) != 1) + if (sscanf(bcnt, "%llu", &cs.arp.counters.bcnt) != 1) xtables_error(PARAMETER_PROBLEM, "-%c byte counter not numeric", opt2char(OPT_COUNTERS)); @@ -1311,7 +1311,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) default: if (cs.target) { xtables_option_tpcall(c, argv, - invert, cs.target, &cs.fw); + invert, cs.target, &cs.arp); } break; } @@ -1339,14 +1339,14 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table) if (shostnetworkmask) parse_hostnetworkmask(shostnetworkmask, &saddrs, - &(cs.fw.arp.smsk), &nsaddrs); + &(cs.arp.arp.smsk), &nsaddrs); if (dhostnetworkmask) parse_hostnetworkmask(dhostnetworkmask, &daddrs, - &(cs.fw.arp.tmsk), &ndaddrs); + &(cs.arp.arp.tmsk), &ndaddrs); if ((nsaddrs > 1 || ndaddrs > 1) && - (cs.fw.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) + (cs.arp.arp.invflags & (ARPT_INV_SRCIP | ARPT_INV_TGTIP))) xtables_error(PARAMETER_PROBLEM, "! not allowed with multiple" " source or destination IP addresses"); diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index dd380300..e491b4db 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -73,12 +73,10 @@ static bool events; static int rule_cb(const struct nlmsghdr *nlh, void *data) { - struct arptables_command_state cs_arp = {}; struct iptables_command_state cs = {}; uint32_t type = nlh->nlmsg_type & 0xFF; const struct cb_arg *arg = data; struct nftnl_rule *r; - void *fw = NULL; uint8_t family; r = nftnl_rule_alloc(); @@ -99,19 +97,17 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) case AF_INET6: printf("-%c ", family == AF_INET ? '4' : '6'); nft_rule_to_iptables_command_state(r, &cs); - fw = &cs; break; case NFPROTO_ARP: printf("-0 "); - nft_rule_to_arptables_command_state(r, &cs_arp); - fw = &cs_arp; + nft_rule_to_arptables_command_state(r, &cs); break; default: goto err_free; } printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE)); - nft_rule_print_save(fw, r, + nft_rule_print_save(&cs, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND : NFT_RULE_DEL, counters ? 0 : FMT_NOCOUNTS); |