xtables-restore: add -4 and -6 support

Now you can specify:

 xtables-restore -6 < my-ip6tables-ruleset

to restore the IPv6 rule-set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 273d08382dc33a3e3b19016b5ac238da4225e0c6..88fd84be864a0e7166e0a797b66459f1a32e7a4c 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2630,7 +2630,7 @@ static int nft_action(struct nft_handle *h, int type)
        nlh->nlmsg_seq = seq = time(NULL);
 
        struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
-       nfg->nfgen_family = AF_INET;
+       nfg->nfgen_family = h->family;
        nfg->version = NFNETLINK_V0;
        nfg->res_id = 0;
 

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index c62b0a9ac7928eda5500d2186c94a18f681927c4..3b14a9f73328f378a696ed777483d8013f2e9e50 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -36,6 +36,8 @@ static const struct option options[] = {
        {.name = "noflush",  .has_arg = false, .val = 'n'},
        {.name = "modprobe", .has_arg = true,  .val = 'M'},
        {.name = "table",    .has_arg = true,  .val = 'T'},
+       {.name = "ipv4",     .has_arg = false, .val = '4'},
+       {.name = "ipv6",     .has_arg = false, .val = '6'},
        {NULL},
 };
 
@@ -193,7 +195,7 @@ xtables_restore_main(int argc, char *argv[])
 
        nft_init(&h);
 
-       while ((c = getopt_long(argc, argv, "bcvthnM:T:", options, NULL)) != -1) {
+       while ((c = getopt_long(argc, argv, "bcvthnM:T:46", options, NULL)) != -1) {
                switch (c) {
                        case 'b':
                                binary = 1;
@@ -220,6 +222,12 @@ xtables_restore_main(int argc, char *argv[])
                        case 'T':
                                tablename = optarg;
                                break;
+                       case '4':
+                               h.family = AF_INET;
+                               break;
+                       case '6':
+                               h.family = AF_INET6;
+                               break;
                }
        }
 

diff --git a/iptables/xtables.c b/iptables/xtables.c
index c31105587cf680965440d47456d4622610e1c86c..c0a6347a9a3ed61c2e3fef5d64859d0f8a63017d 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1247,7 +1247,10 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table)
                break;
        }
 
-       h->family = family;
+       /* Set only if required, needed by xtables-restore */
+       if (h->family == AF_UNSPEC)
+               h->family = family;
+
        h->ops = nft_family_ops_lookup(family);
        if (h->ops == NULL)
                xtables_error(PARAMETER_PROBLEM, "Unknown family");