xtables-monitor: Print commands instead of -4/-6/-0 flags

The '-4' and '-6' flags are a rarely used feature of iptables-restore.
The '-0' flag is purely artificial and not recognized anywhere (at least
not as an arptables rule prefix in this sense). Finally, there is no
such flag for ebtables in the first place. Go with a more intuitively
clear approach and instead print the typical command which added the
rule being printed.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index ef1ec3c9446aed650d8296965e9253e3321b2c57..c49b7ccddeb358cb69a9d162a2139cfb31698244 100755 (executable)
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -42,13 +42,13 @@ monitorcheck() { # (cmd ...)
 EXP="\
  EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0
  EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -4 -t filter -A FORWARD -j ACCEPT"
+ EVENT: iptables -t filter -A FORWARD -j ACCEPT"
 monitorcheck iptables -A FORWARD -j ACCEPT
 
 EXP="\
  EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0
  EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -6 -t filter -A FORWARD -j ACCEPT"
+ EVENT: ip6tables -t filter -A FORWARD -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -j ACCEPT
 
 EXP="\
@@ -60,68 +60,68 @@ monitorcheck ebtables -A FORWARD -j ACCEPT
 EXP="\
  EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0
  EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -0 -t filter -A INPUT -j ACCEPT"
+ EVENT: arptables -t filter -A INPUT -j ACCEPT"
 monitorcheck arptables -A INPUT -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -N foo"
+EXP=" EVENT: iptables -t filter -N foo"
 monitorcheck iptables -N foo
 
-EXP=" EVENT: -6 -t filter -N foo"
+EXP=" EVENT: ip6tables -t filter -N foo"
 monitorcheck ip6tables -N foo
 
-EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
+EXP=" EVENT: ebtables -t filter -N foo"
 monitorcheck ebtables -N foo
 
-EXP=" EVENT: -0 -t filter -N foo"
+EXP=" EVENT: arptables -t filter -N foo"
 monitorcheck arptables -N foo
 
 # meta l4proto matches require proper nft_handle:family value
-EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+EXP=" EVENT: iptables -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
 monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 
-EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
 EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
-EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+EXP=" EVENT: arptables -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
 monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+EXP=" EVENT: iptables -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
 monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 
-EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
 EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
-EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
 monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -X foo"
+EXP=" EVENT: iptables -t filter -X foo"
 monitorcheck iptables -X foo
 
-EXP=" EVENT: -6 -t filter -X foo"
+EXP=" EVENT: ip6tables -t filter -X foo"
 monitorcheck ip6tables -X foo
 
-EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: ebtables -t filter -X foo"
 monitorcheck ebtables -X foo
 
-EXP=" EVENT: -0 -t filter -X foo"
+EXP=" EVENT: arptables -t filter -X foo"
 monitorcheck arptables -X foo
 
-EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT"
+EXP=" EVENT: iptables -t filter -D FORWARD -j ACCEPT"
 monitorcheck iptables -F FORWARD
 
-EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ip6tables -F FORWARD
 
 EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ebtables -F FORWARD
 
-EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
+EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT"
 monitorcheck arptables -F INPUT
 
 EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index b54a704bb1786c651fc5193695ed6fbc9e295162..9561bd177dee42e0f62f8d14d882aca161cbf914 100644 (file)
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -70,6 +70,22 @@ err:
        return MNL_CB_OK;
 }
 
+static const char *family_cmd(int family)
+{
+       switch (family) {
+       case NFPROTO_IPV4:
+               return "iptables";
+       case NFPROTO_IPV6:
+               return "ip6tables";
+       case NFPROTO_ARP:
+               return "arptables";
+       case NFPROTO_BRIDGE:
+               return "ebtables";
+       default:
+               return NULL;
+       }
+}
+
 static bool counters;
 static bool trace;
 static bool events;
@@ -103,27 +119,16 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
            nft_rule_is_policy_rule(r))
                goto err_free;
 
-       if (arg->is_event)
-               printf(" EVENT: ");
-       switch (family) {
-       case AF_INET:
-       case AF_INET6:
-               printf("-%c ", family == AF_INET ? '4' : '6');
-               break;
-       case NFPROTO_ARP:
-               printf("-0 ");
-               break;
-       case NFPROTO_BRIDGE:
-               printf("ebtables ");
-               break;
-       default:
-               puts("");
+       if (!family_cmd(family))
                goto err_free;
-       }
 
-       printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE));
-       nft_rule_print_save(arg->h, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
-                                                          NFT_RULE_DEL,
+       printf("%s%s -t %s ",
+              arg->is_event ? " EVENT: " : "",
+              family_cmd(family),
+              nftnl_rule_get_str(r, NFTNL_RULE_TABLE));
+       nft_rule_print_save(arg->h, r,
+                           type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND
+                                                   : NFT_RULE_DEL,
                            counters ? 0 : FMT_NOCOUNTS);
 err_free:
        nftnl_rule_free(r);
@@ -150,29 +155,18 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
        if (arg->nfproto && arg->nfproto != family)
                goto err_free;
 
-       if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO))
-               family = -1;
-
        printf(" EVENT: ");
-       switch (family) {
-       case NFPROTO_IPV4:
-               family = 4;
-               break;
-       case NFPROTO_IPV6:
-               family = 6;
-               break;
-       case NFPROTO_ARP:
-               family = 0;
-               break;
-       default:
-               nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0);
+
+       if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO) || !family_cmd(family)) {
+               nftnl_chain_snprintf(buf, sizeof(buf),
+                                    c, NFTNL_OUTPUT_DEFAULT, 0);
                printf("nft: %s chain: %s\n",
                       type == NFT_MSG_NEWCHAIN ? "NEW" : "DEL", buf);
                goto err_free;
        }
 
-       printf("-%d -t %s -%c %s\n",
-                       family,
+       printf("%s -t %s -%c %s\n",
+                       family_cmd(family),
                        nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE),
                        type == NFT_MSG_NEWCHAIN ? 'N' : 'X',
                        nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));