xtables-monitor: Fix ip6tables rule printing

When printing an ip6tables rule event, false family ops are used as they
are initially looked up for AF_INET and reused no matter the current
rule's family. In practice, this means that nft_rule_print_save() calls
the wrong rule_to_cs, save_rule and clear_cs callbacks. Therefore, if a
rule specifies a source or destination address, the address is not
printed.

Fix this by performing a family lookup each time rule_cb is called.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 57def83e2eea066a700cae81ec78749579fbb5fc..4008cc00d4694d0dd368f46686828e1528e8341c 100644 (file)
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -93,6 +93,8 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
        if (arg->nfproto && arg->nfproto != family)
                goto err_free;
 
+       arg->h->ops = nft_family_ops_lookup(family);
+
        if (arg->is_event)
                printf(" EVENT: ");
        switch (family) {