This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@xxxxxxxxx> --- iptables/nft-arp.c | 14 ++++++++------ iptables/nft-ipv4.c | 11 +++++++++-- iptables/nft-ipv6.c | 12 ++++++++++-- iptables/nft-shared.c | 18 ++++++++++-------- iptables/nft-shared.h | 5 +++-- iptables/nft.c | 11 +++++++---- 6 files changed, 47 insertions(+), 24 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 562a1a2..dffdc94 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -599,12 +599,6 @@ static void nft_arp_save_firewall(const void *data, print_fw_details((struct arpt_entry *)fw, format); - if (!(format & FMT_NOCOUNTS)) { - printf("-c "); - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - target = get_target((struct arpt_entry *)fw, format); if (target) { @@ -680,6 +674,13 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nft_rule *r, return true; } +static void nft_arp_save_counters(const void *data, unsigned int format) +{ + const struct arpt_entry *fw = data; + + save_counters(fw->counters.pcnt, fw->counters.bcnt, format); +} + struct nft_family_ops nft_family_ops_arp = { .add = nft_arp_add, .is_same = nft_arp_is_same, @@ -689,6 +690,7 @@ struct nft_family_ops nft_family_ops_arp = { .parse_immediate = nft_arp_parse_immediate, .print_firewall = nft_arp_print_firewall, .save_firewall = nft_arp_save_firewall, + .save_counters = nft_arp_save_counters, .post_parse = NULL, .rule_find = nft_arp_rule_find, .parse_target = nft_arp_parse_target, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index d05e80e..c59a120 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -315,8 +315,7 @@ static void nft_ipv4_save_firewall(const void *data, unsigned int format) save_firewall_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto, cs->fw.ip.iniface, cs->fw.ip.iniface_mask, - cs->fw.ip.outiface, cs->fw.ip.outiface_mask, - format); + cs->fw.ip.outiface, cs->fw.ip.outiface_mask); if (cs->fw.ip.flags & IPT_F_FRAG) { if (cs->fw.ip.invflags & IPT_INV_FRAG) @@ -409,6 +408,13 @@ static bool nft_ipv4_rule_find(struct nft_family_ops *ops, return nft_ipv46_rule_find(ops, r, cs); } +static void nft_ipv4_save_counters(const void *data, unsigned int format) +{ + const struct iptables_command_state *cs = data; + + save_counters(cs->counters.pcnt, cs->counters.bcnt, format); +} + struct nft_family_ops nft_family_ops_ipv4 = { .add = nft_ipv4_add, .is_same = nft_ipv4_is_same, @@ -417,6 +423,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .parse_immediate = nft_ipv4_parse_immediate, .print_firewall = nft_ipv4_print_firewall, .save_firewall = nft_ipv4_save_firewall, + .save_counters = nft_ipv4_save_counters, .proto_parse = nft_ipv4_proto_parse, .post_parse = nft_ipv4_post_parse, .parse_target = nft_ipv4_parse_target, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index f08598a..e00c1aa 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -222,8 +222,8 @@ static void nft_ipv6_save_firewall(const void *data, unsigned int format) save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto, cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, - cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask, - format); + cs->fw6.ipv6.outiface, + cs->fw6.ipv6.outiface_mask); save_ipv6_addr('s', &cs->fw6.ipv6.src, cs->fw6.ipv6.invflags & IPT_INV_SRCIP); @@ -330,6 +330,13 @@ static bool nft_ipv6_rule_find(struct nft_family_ops *ops, return nft_ipv46_rule_find(ops, r, cs); } +static void nft_ipv6_save_counters(const void *data, unsigned int format) +{ + const struct iptables_command_state *cs = data; + + save_counters(cs->counters.pcnt, cs->counters.bcnt, format); +} + struct nft_family_ops nft_family_ops_ipv6 = { .add = nft_ipv6_add, .is_same = nft_ipv6_is_same, @@ -338,6 +345,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .parse_immediate = nft_ipv6_parse_immediate, .print_firewall = nft_ipv6_print_firewall, .save_firewall = nft_ipv6_save_firewall, + .save_counters = nft_ipv6_save_counters, .proto_parse = nft_ipv6_proto_parse, .post_parse = nft_ipv6_post_parse, .parse_target = nft_ipv6_parse_target, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 09dd4f4..be6f276 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -601,15 +601,8 @@ void save_firewall_details(const struct iptables_command_state *cs, const char *iniface, unsigned const char *iniface_mask, const char *outiface, - unsigned const char *outiface_mask, - unsigned int format) + unsigned const char *outiface_mask) { - if (!(format & FMT_NOCOUNTS)) { - printf("-c "); - xtables_print_num(cs->counters.pcnt, format); - xtables_print_num(cs->counters.bcnt, format); - } - if (iniface != NULL) { print_iface('i', iniface, iniface_mask, invflags & IPT_INV_VIA_IN); @@ -632,6 +625,15 @@ void save_firewall_details(const struct iptables_command_state *cs, } } +void save_counters(uint64_t pcnt, uint64_t bcnt, unsigned int format) +{ + printf("["); + xtables_print_num(pcnt, format); + printf(":"); + xtables_print_num(bcnt, format); + printf("] "); +} + void save_matches_and_target(struct xtables_rule_match *m, struct xtables_target *target, const char *jumpto, uint8_t flags, const void *fw) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index ea11745..71fc8ae 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -50,6 +50,7 @@ struct nft_family_ops { void (*print_firewall)(struct nft_rule *r, unsigned int num, unsigned int format); void (*save_firewall)(const void *data, unsigned int format); + void (*save_counters)(const void *data, unsigned int format); void (*proto_parse)(struct iptables_command_state *cs, struct xtables_args *args); void (*post_parse)(int command, struct iptables_command_state *cs, @@ -117,8 +118,8 @@ void save_firewall_details(const struct iptables_command_state *cs, const char *iniface, unsigned const char *iniface_mask, const char *outiface, - unsigned const char *outiface_mask, - unsigned int format); + unsigned const char *outiface_mask); +void save_counters(uint64_t pcnt, uint64_t bcnt, unsigned int format); void save_matches_and_target(struct xtables_rule_match *m, struct xtables_target *target, const char *jumpto, diff --git a/iptables/nft.c b/iptables/nft.c index 26942d8..1157646 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -939,8 +939,8 @@ int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes) if (expr == NULL) return -ENOMEM; - nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, packets); - nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, bytes); + nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, packets); + nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, bytes); nft_rule_add_expr(r, expr); @@ -1048,6 +1048,11 @@ nft_rule_print_save(const void *data, int family = nft_rule_attr_get_u32(r, NFT_RULE_ATTR_FAMILY); struct nft_family_ops *ops; + ops = nft_family_ops_lookup(family); + + if (!(format & FMT_NOCOUNTS) && ops->save_counters) + ops->save_counters(data, format); + /* print chain name */ switch(type) { case NFT_RULE_APPEND: @@ -1058,8 +1063,6 @@ nft_rule_print_save(const void *data, break; } - ops = nft_family_ops_lookup(family); - if (ops->save_firewall) ops->save_firewall(data, format); -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html