From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [iptables PATCH 4/5] xtables-monitor: Support ARP and bridge families
Date: Wed, 31 Jul 2019 18:39:14 +0200 [thread overview]
Message-ID: <20190731163915.22232-5-phil@nwl.cc> (raw)
In-Reply-To: <20190731163915.22232-1-phil@nwl.cc>
Apart from allowing to filter by these families, add missing switch()
cases in chain and rule callbacks.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/xtables-monitor.8.in | 12 +++++++++---
iptables/xtables-monitor.c | 23 +++++++++++++++++++++--
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/iptables/xtables-monitor.8.in b/iptables/xtables-monitor.8.in
index 19eb729c51240..6bde54fa4a359 100644
--- a/iptables/xtables-monitor.8.in
+++ b/iptables/xtables-monitor.8.in
@@ -2,7 +2,7 @@
.SH NAME
xtables-monitor \(em show changes to rule set and trace-events
.SH SYNOPSIS
-\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-4\fP|\fB\-6\fP]
+\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-0\fP|\fB-1\fP|\fB\-4\fP|\fB\-6\fP]
.PP
\
.SH DESCRIPTION
@@ -24,11 +24,17 @@ the name of the program that caused the rule update.
Watch for trace events generated by packets that have been tagged
using the TRACE target.
.TP
+\fB\-0\fP, \fB--arp\fP
+Restrict output to ARP (i.e., events caused by arptables-nft).
+.TP
+\fB\-1\fP, \fB--bridge\fP
+Restrict output to bridge (i.e., events caused by ebtables-nft).
+.TP
\fB\-4\fP, \fB--ipv4\fP
-Restrict output to IPv4.
+Restrict output to IPv4 (i.e., events caused by iptables-nft).
.TP
\fB\-6\fP, \fB--ipv6\fP
-Restrict output to IPv6.
+Restrict output to IPv6 (i.e., events caused by ip6tables-nft).
.SH EXAMPLE OUTPUT
.TP
.B xtables-monitor \-\-trace
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 02e8e446b1c8c..9be8ce9de6b5f 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -101,6 +101,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
case NFPROTO_ARP:
printf("-0 ");
break;
+ case NFPROTO_BRIDGE:
+ printf("-1 ");
+ break;
default:
goto err_free;
}
@@ -139,6 +142,12 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
printf(" EVENT: ");
switch (family) {
+ case NFPROTO_ARP:
+ family = 0;
+ break;
+ case NFPROTO_BRIDGE:
+ family = 1;
+ break;
case NFPROTO_IPV4:
family = 4;
break;
@@ -565,6 +574,8 @@ static const struct option options[] = {
{.name = "counters", .has_arg = false, .val = 'c'},
{.name = "trace", .has_arg = false, .val = 't'},
{.name = "event", .has_arg = false, .val = 'e'},
+ {.name = "arp", .has_arg = false, .val = '0'},
+ {.name = "bridge", .has_arg = false, .val = '1'},
{.name = "ipv4", .has_arg = false, .val = '4'},
{.name = "ipv6", .has_arg = false, .val = '6'},
{.name = "version", .has_arg = false, .val = 'V'},
@@ -580,6 +591,8 @@ static void print_usage(void)
" --trace -t trace ruleset traversal of packets tagged via -j TRACE rule\n"
" --event -e show events that modify the ruleset\n"
"Optional arguments:\n"
+ " --arp -0 only monitor ARP\n"
+ " --bridge -1 only monitor bridge\n"
" --ipv4 -4 only monitor IPv4\n"
" --ipv6 -6 only monitor IPv6\n"
" --counters -c show counters in rules\n"
@@ -591,7 +604,7 @@ static void print_usage(void)
static void set_nfproto(struct cb_arg *arg, uint32_t val)
{
if (arg->nfproto != NFPROTO_UNSPEC && arg->nfproto != val) {
- fprintf(stderr, "Only one of '-4' or '-6' may be specified at once.\n\n");
+ fprintf(stderr, "Only one of '-0', '-1', '-4' or '-6' may be specified at once.\n\n");
print_usage();
exit(PARAMETER_PROBLEM);
}
@@ -621,8 +634,14 @@ int xtables_monitor_main(int argc, char *argv[])
#endif
opterr = 0;
- while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "ceht0146V", options, NULL)) != -1) {
switch (c) {
+ case '0':
+ set_nfproto(&cb_arg, NFPROTO_ARP);
+ break;
+ case '1':
+ set_nfproto(&cb_arg, NFPROTO_BRIDGE);
+ break;
case 'c':
counters = true;
break;
--
2.22.0
next prev parent reply other threads:[~2019-07-31 16:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-31 16:39 [iptables PATCH 0/5] xtables-monitor enhancements Phil Sutter
2019-07-31 16:39 ` [iptables PATCH 1/5] doc: Clean generated *-restore-translate man pages Phil Sutter
2019-07-31 16:39 ` [iptables PATCH 2/5] doc: Fix xtables-monitor man page Phil Sutter
2019-07-31 16:39 ` [iptables PATCH 3/5] xtables-monitor: Improve error messages Phil Sutter
2019-07-31 16:39 ` Phil Sutter [this message]
2019-08-01 11:20 ` [iptables PATCH 4/5] xtables-monitor: Support ARP and bridge families Pablo Neira Ayuso
2019-08-01 12:00 ` Phil Sutter
2019-08-01 12:30 ` Pablo Neira Ayuso
2019-08-01 12:33 ` Pablo Neira Ayuso
2019-08-01 12:41 ` Phil Sutter
2019-08-01 12:47 ` Pablo Neira Ayuso
2019-08-01 12:58 ` Phil Sutter
2019-08-01 13:03 ` Pablo Neira Ayuso
2019-08-01 14:20 ` Phil Sutter
2019-07-31 16:39 ` [iptables PATCH 5/5] xtables-monitor: Add family-specific aliases Phil Sutter
2019-07-31 17:45 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190731163915.22232-5-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).