@@ -904,3 +904,32 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
return true;
}
+
+void nft_check_xt_legacy(int family, bool is_ipt_save)
+{
+ static const char tables6[] = "/proc/net/ip6_tables_names";
+ static const char tables4[] = "/proc/net/ip_tables_names";
+ const char *prefix = "ip";
+ FILE *fp = NULL;
+ char buf[1024];
+
+ switch (family) {
+ case NFPROTO_IPV4:
+ fp = fopen(tables4, "r");
+ break;
+ case NFPROTO_IPV6:
+ fp = fopen(tables6, "r");
+ prefix = "ip6";
+ break;
+ default:
+ break;
+ }
+
+ if (!fp)
+ return;
+
+ if (fgets(buf, sizeof(buf), fp))
+ fprintf(stderr, "# Warning: %stables-legacy tables present, use %stables-legacy%s to see them\n",
+ prefix, prefix, is_ipt_save ? "-save" : "");
+ fclose(fp);
+}
@@ -270,4 +270,5 @@ void xtables_restore_parse(struct nft_handle *h,
struct nft_xt_restore_cb *cb,
int argc, char *argv[]);
+void nft_check_xt_legacy(int family, bool is_ipt_save);
#endif
@@ -44,12 +44,10 @@ static const struct option options[] = {
};
static int
-do_output(struct nft_handle *h, const char *tablename, bool counters)
+__do_output(struct nft_handle *h, const char *tablename, bool counters)
{
struct nftnl_chain_list *chain_list;
- if (!tablename)
- return nft_for_each_table(h, do_output, counters) ? 1 : 0;
if (!nft_table_find(h, tablename)) {
printf("Table `%s' does not exist\n", tablename);
@@ -80,6 +78,22 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
return 0;
}
+static int
+do_output(struct nft_handle *h, const char *tablename, bool counters)
+{
+ int ret;
+
+ if (!tablename) {
+ ret = nft_for_each_table(h, __do_output, counters);
+ nft_check_xt_legacy(h->family, true);
+ return !!ret;
+ }
+
+ ret = __do_output(h, tablename, counters);
+ nft_check_xt_legacy(h->family, true);
+ return ret;
+}
+
/* Format:
* :Chain name POLICY packets bytes
* rule
@@ -1238,6 +1238,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
ret = nft_rule_zero_counters(h, p.chain, p.table,
p.rulenum - 1);
}
+ nft_check_xt_legacy(h->family, false);
break;
case CMD_LIST_RULES:
case CMD_LIST_RULES|CMD_ZERO:
@@ -1252,6 +1253,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
ret = nft_rule_zero_counters(h, p.chain, p.table,
p.rulenum - 1);
}
+ nft_check_xt_legacy(h->family, false);
break;
case CMD_NEW_CHAIN:
ret = nft_chain_user_add(h, p.chain, p.table);
Provide a hint that iptables isn't showing all rules because its using nfnetlink rather than old set/getsockopt. Signed-off-by: Florian Westphal <fw@strlen.de> --- iptables/nft-shared.c | 29 +++++++++++++++++++++++++++++ iptables/nft-shared.h | 1 + iptables/xtables-save.c | 20 +++++++++++++++++--- iptables/xtables.c | 2 ++ 4 files changed, 49 insertions(+), 3 deletions(-)