Allow for more intuitive xtables-monitor use, e.g. 'ebtables-monitor' instead of 'xtables-monitor --bridge'. This needs separate main functions to call from xtables-nft-multi.c and in turn allows to properly initialize for each family. The latter is required to correctly print e.g. rules using ebtables extensions.
Signed-off-by: Phil Sutter <[email protected]> --- iptables/Makefile.am | 13 ++++-- iptables/xtables-monitor.8.in | 14 ++++++ iptables/xtables-monitor.c | 88 ++++++++++++++++++++++++++++------- iptables/xtables-multi.h | 4 ++ iptables/xtables-nft-multi.c | 4 ++ 5 files changed, 104 insertions(+), 19 deletions(-) diff --git a/iptables/Makefile.am b/iptables/Makefile.am index da07b9a4b5a2f..0af9f8dc7738e 100644 --- a/iptables/Makefile.am +++ b/iptables/Makefile.am @@ -49,6 +49,8 @@ endif XTABLES_XLATE_8_LINKS = iptables-translate.8 ip6tables-translate.8 \ iptables-restore-translate.8 ip6tables-restore-translate.8 +XTABLES_MONITOR_8_LINKS = iptables-monitor.8 ip6tables-monitor.8 \ + arptables-monitor.8 ebtables-monitor.8 sbin_PROGRAMS = xtables-legacy-multi if ENABLE_NFTABLES @@ -60,12 +62,13 @@ man_MANS = iptables.8 iptables-restore.8 iptables-save.8 \ if ENABLE_NFTABLES man_MANS += xtables-nft.8 xtables-translate.8 xtables-legacy.8 \ ${XTABLES_XLATE_8_LINKS} \ - xtables-monitor.8 \ + xtables-monitor.8 ${XTABLES_MONITOR_8_LINKS} \ arptables-nft.8 arptables-nft-restore.8 arptables-nft-save.8 \ ebtables-nft.8 endif CLEANFILES = iptables.8 xtables-monitor.8 \ - ${XTABLES_XLATE_8_LINKS} + ${XTABLES_XLATE_8_LINKS} \ + ${XTABLES_MONITOR_8_LINKS} vx_bin_links = iptables-xml if ENABLE_IPV4 @@ -87,7 +90,8 @@ x_sbin_links = iptables-nft iptables-nft-restore iptables-nft-save \ ebtables-nft ebtables \ ebtables-nft-restore ebtables-restore \ ebtables-nft-save ebtables-save \ - xtables-monitor + xtables-monitor arptables-monitor ebtables-monitor \ + iptables-monitor ip6tables-monitor endif iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../extensions/targets.man @@ -98,6 +102,9 @@ iptables-extensions.8: iptables-extensions.8.tmpl ../extensions/matches.man ../e ${XTABLES_XLATE_8_LINKS}: ${AM_VERBOSE_GEN} echo '.so man8/xtables-translate.8' >$@ +${XTABLES_MONITOR_8_LINKS}: + ${AM_VERBOSE_GEN} echo '.so man8/xtables-monitor.8' >$@ + pkgconfig_DATA = xtables.pc # Using if..fi avoids an ugly "error (ignored)" message :) diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in index 6bde54fa4a359..b91b81489d1b9 100644 --- a/iptables/xtables-monitor.8.in +++ b/iptables/xtables-monitor.8.in @@ -3,6 +3,14 @@ xtables-monitor \(em show changes to rule set and trace-events .SH SYNOPSIS \fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-0\fP|\fB-1\fP|\fB\-4\fP|\fB\-6\fP] +.br +\fBiptables-monitor\fP [\fB\-t\fP] [\fB\-e\fP] +.br +\fBip6tables-monitor\fP [\fB\-t\fP] [\fB\-e\fP] +.br +\fBarptables-monitor\fP [\fB\-t\fP] [\fB\-e\fP] +.br +\fBebtables-monitor\fP [\fB\-t\fP] [\fB\-e\fP] .PP \ .SH DESCRIPTION @@ -12,6 +20,12 @@ is used to monitor changes to the ruleset or to show rule evaluation events for packets tagged using the TRACE target. .B xtables-monitor will run until the user aborts execution, typically by using CTRL-C. +.PP +.BR iptables-monitor ", " ip6tables-monitor ", " +.BR arptables-monitor " and " ebtables-monitor +are aliases to calling +.B xtables-monitor +with a family filtering flag. .RE .SH OPTIONS .TP diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index 9be8ce9de6b5f..71e9de45a34a3 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -37,6 +37,7 @@ #include "xtables-multi.h" #include "nft.h" #include "nft-arp.h" +#include "nft-bridge.h" struct cb_arg { uint32_t nfproto; @@ -611,28 +612,16 @@ static void set_nfproto(struct cb_arg *arg, uint32_t val) arg->nfproto = val; } -int xtables_monitor_main(int argc, char *argv[]) +static int __xtables_monitor_main(uint32_t family, int argc, char *argv[]) { struct mnl_socket *nl; char buf[MNL_SOCKET_BUFFER_SIZE]; uint32_t nfgroup = 0; - struct cb_arg cb_arg = {}; + struct cb_arg cb_arg = { + .nfproto = family, + }; int ret, c; - xtables_globals.program_name = "xtables-monitor"; - /* XXX xtables_init_all does several things we don't want */ - c = xtables_init_all(&xtables_globals, NFPROTO_IPV4); - if (c < 0) { - fprintf(stderr, "%s/%s Failed to initialize xtables\n", - xtables_globals.program_name, - xtables_globals.program_version); - exit(1); - } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -#endif - opterr = 0; while ((c = getopt_long(argc, argv, "ceht0146V", options, NULL)) != -1) { switch (c) { @@ -708,3 +697,70 @@ int xtables_monitor_main(int argc, char *argv[]) return EXIT_SUCCESS; } +static void common_xtables_init(const char *argv0, uint8_t family) +{ + xtables_globals.program_name = basename(argv0); + + /* XXX xtables_init_all does several things we don't want */ + if (xtables_init_all(&xtables_globals, family) < 0) { + fprintf(stderr, "%s/%s Failed to initialize xtables\n", + xtables_globals.program_name, + xtables_globals.program_version); + exit(1); + } +} + +int xtables_monitor_main(int argc, char *argv[]) +{ + /* Can't pass NFPROTO_UNSPEC, xtables_set_nfproto() would complain. */ + common_xtables_init(argv[0], NFPROTO_IPV4); + + return __xtables_monitor_main(NFPROTO_UNSPEC, argc, argv); +} + +int iptables_monitor_main(int argc, char *argv[]) +{ + common_xtables_init(argv[0], NFPROTO_IPV4); +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); +#endif + + return __xtables_monitor_main(NFPROTO_IPV4, argc, argv); +} + +int ip6tables_monitor_main(int argc, char *argv[]) +{ + common_xtables_init(argv[0], NFPROTO_IPV6); +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); +#endif + + return __xtables_monitor_main(NFPROTO_IPV6, argc, argv); +} + +int arptables_monitor_main(int argc, char *argv[]) +{ + common_xtables_init(argv[0], NFPROTO_ARP); +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensionsa(); +#endif + + return __xtables_monitor_main(NFPROTO_ARP, argc, argv); +} + +int ebtables_monitor_main(int argc, char *argv[]) +{ + common_xtables_init(argv[0], NFPROTO_BRIDGE); +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensionsb(); +#endif + /* manually registering ebt matches, given the original ebtables parser + * don't use '-m matchname' and the match can't be loaded dynamically when + * the user calls it. + */ + ebt_load_match_extensions(); + + return __xtables_monitor_main(NFPROTO_BRIDGE, argc, argv); +} diff --git a/iptables/xtables-multi.h b/iptables/xtables-multi.h index 0fedb430e1a28..11364ba5b731e 100644 --- a/iptables/xtables-multi.h +++ b/iptables/xtables-multi.h @@ -22,6 +22,10 @@ extern int xtables_eb_restore_main(int, char **); extern int xtables_eb_save_main(int, char **); extern int xtables_config_main(int, char **); extern int xtables_monitor_main(int, char **); +extern int iptables_monitor_main(int, char **); +extern int ip6tables_monitor_main(int, char **); +extern int arptables_monitor_main(int, char **); +extern int ebtables_monitor_main(int, char **); #endif #endif /* _XTABLES_MULTI_H */ diff --git a/iptables/xtables-nft-multi.c b/iptables/xtables-nft-multi.c index e2b7c641f85dd..3b13d89dffcb3 100644 --- a/iptables/xtables-nft-multi.c +++ b/iptables/xtables-nft-multi.c @@ -44,6 +44,10 @@ static const struct subcommand multi_subcommands[] = { {"ebtables-nft-restore", xtables_eb_restore_main}, {"ebtables-nft-save", xtables_eb_save_main}, {"xtables-monitor", xtables_monitor_main}, + {"iptables-monitor", iptables_monitor_main}, + {"ip6tables-monitor", ip6tables_monitor_main}, + {"arptables-monitor", arptables_monitor_main}, + {"ebtables-monitor", ebtables_monitor_main}, {NULL}, }; -- 2.22.0
