[iptables PATCH 0/8] Fix xtables-monitor rule printing, partially RFC

[iptables PATCH 0/8] Fix xtables-monitor rule printing, partially RFC

[Phil Sutter]

The patches in this series progress from fixes to features, and for the
last two I'm not sure they are acceptable as-is: Patch 7 is not entirely
complete, one should follow-up printing ebtables policy rules like
builtin chain policies in traces but it requires quite some code churn.
Patch 8 changes output of both events and traces, thus might break
existing scripts parsing xtables-monitor output.

Phil Sutter (8):
  xtables-monitor: Proper re-init for rule's family
  xtables-monitor: Flush stdout after all lines of output
  xtables-monitor: Align builtin chain and table output
  xtables-monitor: Support arptables chain events
  tests: shell: New xtables-monitor test
  xtables-monitor: Fix for ebtables rule events
  xtables-monitor: Ignore ebtables policy rules unless tracing
  xtables-monitor: Print commands instead of -4/-6/-0 flags

 iptables/nft.c                                |   2 +-
 iptables/nft.h                                |   1 +
 .../testcases/nft-only/0012-xtables-monitor_0 | 139 ++++++++++++++++++
 iptables/xtables-monitor.c                    |  74 ++++++----
 4 files changed, 183 insertions(+), 33 deletions(-)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0

-- 
2.43.0

[iptables PATCH 1/8] xtables-monitor: Proper re-init for rule's family

[Phil Sutter]

When not running for a specific family only (via -4/-6 flags),
xtables-monitor potentially sees events/traces for all families. To
correctly parse rules when printing for NEWRULE, DELRULE or TRACE
messages, nft_handle has to be reinitialized for the rule's family.

It is not sufficient to reset nft_handle::ops: Some expression parsers
rely upon nft_handle::family to be properly set, too (cf. references to
'ctx->h->family in nft-ruleparse.c). Adjusting the 'afinfo' pointer
provided by libxtables is even more crucial, as e.g. do_parse() in
xshared.c relies upon it for the proper optstring.

This is actually a day-1 bug in xtables-monitor which surfaced due to
commit 9075c3aa983d9 ("nft: Increase rule parser strictness"). Therefore
make this fix the commit it is following-up.

Fixes: ca69b0290dc50 ("xtables-monitor: Fix ip6tables rule printing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-monitor.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index cf2729d87968b..cf92355f76f8a 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -92,7 +92,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	if (arg->nfproto && arg->nfproto != family)
 		goto err_free;
 
+	xtables_set_nfproto(family);
 	arg->h->ops = nft_family_ops_lookup(family);
+	arg->h->family = family;
 
 	if (arg->is_event)
 		printf(" EVENT: ");
-- 
2.43.0

[iptables PATCH 2/8] xtables-monitor: Flush stdout after all lines of output

[Phil Sutter]

Writing an xtables-monitor testsuite is pretty much impossible without
this due to unreliable output flushing. Just move the fflush() call from
trace_cb() to its caller so monitor events benefit from it as well.

Fixes: 07af4da52ab30 ("xtables-monitor: fix rule printing")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-monitor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index cf92355f76f8a..90d1cc5e37f31 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -544,7 +544,6 @@ static int trace_cb(const struct nlmsghdr *nlh, struct cb_arg *arg)
 err_free:
 	nftnl_trace_free(nlt);
 err:
-	fflush(stdout);
 	return MNL_CB_OK;
 }
 
@@ -576,6 +575,7 @@ static int monitor_cb(const struct nlmsghdr *nlh, void *data)
 		break;
 	}
 
+	fflush(stdout);
 	return ret;
 }
 
-- 
2.43.0

[iptables PATCH 3/8] xtables-monitor: Align builtin chain and table output

[Phil Sutter]

Drop the leading hash sign and add "NEW/DEL chain" annotation.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-monitor.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 90d1cc5e37f31..e136e9b722e92 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -153,7 +153,8 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
 		break;
 	default:
 		nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0);
-		printf("# nft: %s\n", buf);
+		printf("nft: %s chain: %s\n",
+		       type == NFT_MSG_NEWCHAIN ? "NEW" : "DEL", buf);
 		goto err_free;
 	}
 
-- 
2.43.0

[iptables PATCH 4/8] xtables-monitor: Support arptables chain events

[Phil Sutter]

Print arptables NEWCHAIN/DELCHAIN events just like for iptables, using
the '-0' prefix rule callback already uses.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-monitor.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index e136e9b722e92..714a2dfd7074a 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -151,6 +151,9 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
 	case NFPROTO_IPV6:
 		family = 6;
 		break;
+	case NFPROTO_ARP:
+		family = 0;
+		break;
 	default:
 		nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0);
 		printf("nft: %s chain: %s\n",
-- 
2.43.0

[iptables PATCH 5/8] tests: shell: New xtables-monitor test

[Phil Sutter]

Only events monitoring for now.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../testcases/nft-only/0012-xtables-monitor_0 | 149 ++++++++++++++++++
 1 file changed, 149 insertions(+)
 create mode 100755 iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
new file mode 100755
index 0000000000000..7b028ba7a9ca5
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -0,0 +1,149 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+log=$(mktemp)
+trap "rm -f $log" EXIT
+echo "logging into file $log"
+rc=0
+
+# Filter monitor output:
+# - NEWGEN event is moot:
+#   - GENID/PID are arbitrary,
+#   - NAME always "xtables-nft-mul"
+# - handle is arbitrary as well
+logfilter() { # (logfile)
+	grep -v '^NEWGEN:' "$1" | sed -e 's/handle [0-9]\+/handle 0/'
+}
+
+# Compare monitor output for given command against content of the global $EXP
+monitorcheck() { # (cmd ...)
+	$XT_MULTI xtables-monitor -e >"$log"&
+	monpid=$!
+	sleep 0.5
+
+	$XT_MULTI "$@" || {
+		echo "Error: command failed: $@"
+		let "rc++"
+		kill $monpid
+		wait
+		return
+	}
+	sleep 0.5
+	kill $monpid
+	wait
+	diffout=$(diff -u <(echo "$EXP") <(logfilter "$log")) || {
+		echo "Fail: unexpected result for command: '$@':"
+		grep -v '^\(---\|+++\|@@\)' <<< "$diffout"
+		let "rc++"
+	}
+}
+
+EXP="\
+ EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0
+ EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
+ EVENT: -4 -t filter -A FORWARD -j ACCEPT"
+monitorcheck iptables -A FORWARD -j ACCEPT
+
+EXP="\
+ EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0
+ EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
+ EVENT: -6 -t filter -A FORWARD -j ACCEPT"
+monitorcheck ip6tables -A FORWARD -j ACCEPT
+
+# FIXME
+EXP="\
+ EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
+ EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
+ EVENT: "
+monitorcheck ebtables -A FORWARD -j ACCEPT
+
+EXP="\
+ EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0
+ EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1
+ EVENT: -0 -t filter -A INPUT -j ACCEPT"
+monitorcheck arptables -A INPUT -j ACCEPT
+
+EXP=" EVENT: -4 -t filter -N foo"
+monitorcheck iptables -N foo
+
+EXP=" EVENT: -6 -t filter -N foo"
+monitorcheck ip6tables -N foo
+
+# FIXME
+EXP="\
+ EVENT: nft: NEW chain: bridge filter foo use 1
+ EVENT: "
+monitorcheck ebtables -N foo
+
+EXP=" EVENT: -0 -t filter -N foo"
+monitorcheck arptables -N foo
+
+# meta l4proto matches require proper nft_handle:family value
+EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
+
+EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
+
+# FIXME
+EXP=" EVENT: "
+monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
+
+EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
+
+EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
+
+EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
+
+# FIXME
+EXP=" EVENT: "
+monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
+
+EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
+
+EXP=" EVENT: -4 -t filter -X foo"
+monitorcheck iptables -X foo
+
+EXP=" EVENT: -6 -t filter -X foo"
+monitorcheck ip6tables -X foo
+
+# FIXME
+EXP="\
+ EVENT: 
+ EVENT: nft: DEL chain: bridge filter foo use 0"
+monitorcheck ebtables -X foo
+
+EXP=" EVENT: -0 -t filter -X foo"
+monitorcheck arptables -X foo
+
+EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT"
+monitorcheck iptables -F FORWARD
+
+EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
+monitorcheck ip6tables -F FORWARD
+
+# FIXME
+EXP=" EVENT: "
+monitorcheck ebtables -F FORWARD
+
+EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
+monitorcheck arptables -F INPUT
+
+EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"
+monitorcheck iptables -X FORWARD
+
+EXP=" EVENT: nft: DEL chain: ip6 filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"
+monitorcheck ip6tables -X FORWARD
+
+EXP=" EVENT: nft: DEL chain: bridge filter FORWARD use 0 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1"
+monitorcheck ebtables -X FORWARD
+
+EXP=" EVENT: nft: DEL chain: arp filter INPUT use 0 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1"
+monitorcheck arptables -X INPUT
+
+exit $rc
-- 
2.43.0

[iptables PATCH 6/8] xtables-monitor: Fix for ebtables rule events

[Phil Sutter]

Bridge family wasn't recognized in rule_cb(), so merely an empty
"EVENT:" line was printed for ebtables rule changes. For lack of a
well-known family modifier flag for bridge family, simply prefix rules
by "ebtables".

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../testcases/nft-only/0012-xtables-monitor_0     | 15 ++++++---------
 iptables/xtables-monitor.c                        |  3 +++
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 7b028ba7a9ca5..0f0295b05ec52 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -55,7 +55,7 @@ monitorcheck ip6tables -A FORWARD -j ACCEPT
 EXP="\
  EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
  EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
- EVENT: "
+ EVENT: ebtables -t filter -A FORWARD -j ACCEPT"
 monitorcheck ebtables -A FORWARD -j ACCEPT
 
 EXP="\
@@ -73,7 +73,7 @@ monitorcheck ip6tables -N foo
 # FIXME
 EXP="\
  EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: "
+ EVENT: ebtables -t filter -A foo -j ACCEPT"
 monitorcheck ebtables -N foo
 
 EXP=" EVENT: -0 -t filter -N foo"
@@ -86,8 +86,7 @@ monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
 EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -99,8 +98,7 @@ monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
 EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
@@ -114,7 +112,7 @@ monitorcheck ip6tables -X foo
 
 # FIXME
 EXP="\
- EVENT: 
+ EVENT: ebtables -t filter -D foo -j ACCEPT
  EVENT: nft: DEL chain: bridge filter foo use 0"
 monitorcheck ebtables -X foo
 
@@ -127,8 +125,7 @@ monitorcheck iptables -F FORWARD
 EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
 monitorcheck ip6tables -F FORWARD
 
-# FIXME
-EXP=" EVENT: "
+EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ebtables -F FORWARD
 
 EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 714a2dfd7074a..7079a039fb28b 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -106,6 +106,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	case NFPROTO_ARP:
 		printf("-0 ");
 		break;
+	case NFPROTO_BRIDGE:
+		printf("ebtables ");
+		break;
 	default:
 		puts("");
 		goto err_free;
-- 
2.43.0

[iptables PATCH 7/8] xtables-monitor: Ignore ebtables policy rules unless tracing

[Phil Sutter]

Do not expose this implementation detail to users, otherwise new
user-defined chains are followed by a new rule event.

When tracing, they are useful as they potentially terminate rule
traversal.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c                                        |  2 +-
 iptables/nft.h                                        |  1 +
 .../shell/testcases/nft-only/0012-xtables-monitor_0   | 11 ++---------
 iptables/xtables-monitor.c                            |  7 +++++++
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 884cc77e647ba..83fb81439ccb1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1813,7 +1813,7 @@ nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
 	return ret;
 }
 
-static bool nft_rule_is_policy_rule(struct nftnl_rule *r)
+bool nft_rule_is_policy_rule(struct nftnl_rule *r)
 {
 	const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
 	const void *data;
diff --git a/iptables/nft.h b/iptables/nft.h
index b2a8484f09f0a..8f17f3100a190 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -185,6 +185,7 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *tabl
 int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
 int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
 int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
+bool nft_rule_is_policy_rule(struct nftnl_rule *r);
 
 /*
  * Operations used in userspace tools
diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index 0f0295b05ec52..ef1ec3c9446ae 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -51,7 +51,6 @@ EXP="\
  EVENT: -6 -t filter -A FORWARD -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -j ACCEPT
 
-# FIXME
 EXP="\
  EVENT: nft: NEW table: table filter bridge flags 0 use 1 handle 0
  EVENT: nft: NEW chain: bridge filter FORWARD use 1 type filter hook forward prio -200 policy accept packets 0 bytes 0 flags 1
@@ -70,10 +69,7 @@ monitorcheck iptables -N foo
 EXP=" EVENT: -6 -t filter -N foo"
 monitorcheck ip6tables -N foo
 
-# FIXME
-EXP="\
- EVENT: nft: NEW chain: bridge filter foo use 1
- EVENT: ebtables -t filter -A foo -j ACCEPT"
+EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
 monitorcheck ebtables -N foo
 
 EXP=" EVENT: -0 -t filter -N foo"
@@ -110,10 +106,7 @@ monitorcheck iptables -X foo
 EXP=" EVENT: -6 -t filter -X foo"
 monitorcheck ip6tables -X foo
 
-# FIXME
-EXP="\
- EVENT: ebtables -t filter -D foo -j ACCEPT
- EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
 monitorcheck ebtables -X foo
 
 EXP=" EVENT: -0 -t filter -X foo"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index 7079a039fb28b..b54a704bb1786 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -96,6 +96,13 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	arg->h->ops = nft_family_ops_lookup(family);
 	arg->h->family = family;
 
+	/* ignore policy rules unless tracing,
+	 * they are reported when deleting user-defined chains */
+	if (family == NFPROTO_BRIDGE &&
+	    arg->is_event &&
+	    nft_rule_is_policy_rule(r))
+		goto err_free;
+
 	if (arg->is_event)
 		printf(" EVENT: ");
 	switch (family) {
-- 
2.43.0

[RFC iptables PATCH 8/8] xtables-monitor: Print commands instead of -4/-6/-0 flags

[Phil Sutter]

The '-4' and '-6' flags are a rarely used feature of iptables-restore.
The '-0' flag is purely artificial and not recognized anywhere (at least
not as an arptables rule prefix in this sense). Finally, there is no
such flag for ebtables in the first place. Go with a more intuitively
clear approach and instead print the typical command which added the
rule being printed.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 .../testcases/nft-only/0012-xtables-monitor_0 | 40 +++++------
 iptables/xtables-monitor.c                    | 66 +++++++++----------
 2 files changed, 50 insertions(+), 56 deletions(-)

diff --git a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0 b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
index ef1ec3c9446ae..c49b7ccddeb35 100755
--- a/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
+++ b/iptables/tests/shell/testcases/nft-only/0012-xtables-monitor_0
@@ -42,13 +42,13 @@ monitorcheck() { # (cmd ...)
 EXP="\
  EVENT: nft: NEW table: table filter ip flags 0 use 1 handle 0
  EVENT: nft: NEW chain: ip filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -4 -t filter -A FORWARD -j ACCEPT"
+ EVENT: iptables -t filter -A FORWARD -j ACCEPT"
 monitorcheck iptables -A FORWARD -j ACCEPT
 
 EXP="\
  EVENT: nft: NEW table: table filter ip6 flags 0 use 1 handle 0
  EVENT: nft: NEW chain: ip6 filter FORWARD use 1 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -6 -t filter -A FORWARD -j ACCEPT"
+ EVENT: ip6tables -t filter -A FORWARD -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -j ACCEPT
 
 EXP="\
@@ -60,68 +60,68 @@ monitorcheck ebtables -A FORWARD -j ACCEPT
 EXP="\
  EVENT: nft: NEW table: table filter arp flags 0 use 1 handle 0
  EVENT: nft: NEW chain: arp filter INPUT use 1 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1
- EVENT: -0 -t filter -A INPUT -j ACCEPT"
+ EVENT: arptables -t filter -A INPUT -j ACCEPT"
 monitorcheck arptables -A INPUT -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -N foo"
+EXP=" EVENT: iptables -t filter -N foo"
 monitorcheck iptables -N foo
 
-EXP=" EVENT: -6 -t filter -N foo"
+EXP=" EVENT: ip6tables -t filter -N foo"
 monitorcheck ip6tables -N foo
 
-EXP=" EVENT: nft: NEW chain: bridge filter foo use 1"
+EXP=" EVENT: ebtables -t filter -N foo"
 monitorcheck ebtables -N foo
 
-EXP=" EVENT: -0 -t filter -N foo"
+EXP=" EVENT: arptables -t filter -N foo"
 monitorcheck arptables -N foo
 
 # meta l4proto matches require proper nft_handle:family value
-EXP=" EVENT: -4 -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+EXP=" EVENT: iptables -t filter -A FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
 monitorcheck iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 
-EXP=" EVENT: -6 -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -A FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -A FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
 EXP=" EVENT: ebtables -t filter -A FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -A FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
-EXP=" EVENT: -0 -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+EXP=" EVENT: arptables -t filter -A INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
 monitorcheck arptables -A INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
+EXP=" EVENT: iptables -t filter -D FORWARD -i eth1 -o eth2 -p tcp -m tcp --dport 22 -j ACCEPT"
 monitorcheck iptables -D FORWARD -i eth1 -o eth2 -p tcp --dport 22 -j ACCEPT
 
-EXP=" EVENT: -6 -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -D FORWARD -i eth1 -o eth2 -p udp -m udp --sport 1337 -j ACCEPT"
 monitorcheck ip6tables -D FORWARD -i eth1 -o eth2 -p udp --sport 1337 -j ACCEPT
 
 EXP=" EVENT: ebtables -t filter -D FORWARD -p IPv4 -i eth1 -o eth2 --ip-proto udp --ip-sport 1337 -j ACCEPT"
 monitorcheck ebtables -D FORWARD -i eth1 -o eth2 -p ip --ip-protocol udp --ip-source-port 1337 -j ACCEPT
 
-EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
+EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06"
 monitorcheck arptables -D INPUT -i eth1 -s 1.2.3.4 --src-mac 01:02:03:04:05:06 -j ACCEPT
 
-EXP=" EVENT: -4 -t filter -X foo"
+EXP=" EVENT: iptables -t filter -X foo"
 monitorcheck iptables -X foo
 
-EXP=" EVENT: -6 -t filter -X foo"
+EXP=" EVENT: ip6tables -t filter -X foo"
 monitorcheck ip6tables -X foo
 
-EXP=" EVENT: nft: DEL chain: bridge filter foo use 0"
+EXP=" EVENT: ebtables -t filter -X foo"
 monitorcheck ebtables -X foo
 
-EXP=" EVENT: -0 -t filter -X foo"
+EXP=" EVENT: arptables -t filter -X foo"
 monitorcheck arptables -X foo
 
-EXP=" EVENT: -4 -t filter -D FORWARD -j ACCEPT"
+EXP=" EVENT: iptables -t filter -D FORWARD -j ACCEPT"
 monitorcheck iptables -F FORWARD
 
-EXP=" EVENT: -6 -t filter -D FORWARD -j ACCEPT"
+EXP=" EVENT: ip6tables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ip6tables -F FORWARD
 
 EXP=" EVENT: ebtables -t filter -D FORWARD -j ACCEPT"
 monitorcheck ebtables -F FORWARD
 
-EXP=" EVENT: -0 -t filter -D INPUT -j ACCEPT"
+EXP=" EVENT: arptables -t filter -D INPUT -j ACCEPT"
 monitorcheck arptables -F INPUT
 
 EXP=" EVENT: nft: DEL chain: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0 flags 1"
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index b54a704bb1786..9561bd177dee4 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -70,6 +70,22 @@ static int table_cb(const struct nlmsghdr *nlh, void *data)
 	return MNL_CB_OK;
 }
 
+static const char *family_cmd(int family)
+{
+	switch (family) {
+	case NFPROTO_IPV4:
+		return "iptables";
+	case NFPROTO_IPV6:
+		return "ip6tables";
+	case NFPROTO_ARP:
+		return "arptables";
+	case NFPROTO_BRIDGE:
+		return "ebtables";
+	default:
+		return NULL;
+	}
+}
+
 static bool counters;
 static bool trace;
 static bool events;
@@ -103,27 +119,16 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	    nft_rule_is_policy_rule(r))
 		goto err_free;
 
-	if (arg->is_event)
-		printf(" EVENT: ");
-	switch (family) {
-	case AF_INET:
-	case AF_INET6:
-		printf("-%c ", family == AF_INET ? '4' : '6');
-		break;
-	case NFPROTO_ARP:
-		printf("-0 ");
-		break;
-	case NFPROTO_BRIDGE:
-		printf("ebtables ");
-		break;
-	default:
-		puts("");
+	if (!family_cmd(family))
 		goto err_free;
-	}
 
-	printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE));
-	nft_rule_print_save(arg->h, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
-							   NFT_RULE_DEL,
+	printf("%s%s -t %s ",
+	       arg->is_event ? " EVENT: " : "",
+	       family_cmd(family),
+	       nftnl_rule_get_str(r, NFTNL_RULE_TABLE));
+	nft_rule_print_save(arg->h, r,
+			    type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND
+						    : NFT_RULE_DEL,
 			    counters ? 0 : FMT_NOCOUNTS);
 err_free:
 	nftnl_rule_free(r);
@@ -150,29 +155,18 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
 	if (arg->nfproto && arg->nfproto != family)
 		goto err_free;
 
-	if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO))
-		family = -1;
-
 	printf(" EVENT: ");
-	switch (family) {
-	case NFPROTO_IPV4:
-		family = 4;
-		break;
-	case NFPROTO_IPV6:
-		family = 6;
-		break;
-	case NFPROTO_ARP:
-		family = 0;
-		break;
-	default:
-		nftnl_chain_snprintf(buf, sizeof(buf), c, NFTNL_OUTPUT_DEFAULT, 0);
+
+	if (nftnl_chain_is_set(c, NFTNL_CHAIN_PRIO) || !family_cmd(family)) {
+		nftnl_chain_snprintf(buf, sizeof(buf),
+				     c, NFTNL_OUTPUT_DEFAULT, 0);
 		printf("nft: %s chain: %s\n",
 		       type == NFT_MSG_NEWCHAIN ? "NEW" : "DEL", buf);
 		goto err_free;
 	}
 
-	printf("-%d -t %s -%c %s\n",
-			family,
+	printf("%s -t %s -%c %s\n",
+			family_cmd(family),
 			nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE),
 			type == NFT_MSG_NEWCHAIN ? 'N' : 'X',
 			nftnl_chain_get_str(c, NFTNL_CHAIN_NAME));
-- 
2.43.0

Re: [iptables PATCH 0/8] Fix xtables-monitor rule printing, partially RFC

[Phil Sutter]

On Tue, Jul 16, 2024 at 02:27:57PM +0200, Phil Sutter wrote:
> The patches in this series progress from fixes to features, and for the
> last two I'm not sure they are acceptable as-is: Patch 7 is not entirely
> complete, one should follow-up printing ebtables policy rules like
> builtin chain policies in traces but it requires quite some code churn.
> Patch 8 changes output of both events and traces, thus might break
> existing scripts parsing xtables-monitor output.
> 
> Phil Sutter (8):
>   xtables-monitor: Proper re-init for rule's family
>   xtables-monitor: Flush stdout after all lines of output
>   xtables-monitor: Align builtin chain and table output
>   xtables-monitor: Support arptables chain events
>   tests: shell: New xtables-monitor test
>   xtables-monitor: Fix for ebtables rule events
>   xtables-monitor: Ignore ebtables policy rules unless tracing
>   xtables-monitor: Print commands instead of -4/-6/-0 flags

Series applied.