This patch prints the counters of a rule before the details, like iptables-save syntax. Signed-off-by: Giuseppe Longo <giuseppelng@xxxxxxxxx> --- iptables/nft-arp.c | 14 ++++++++------ iptables/nft-ipv4.c | 11 +++++++++-- iptables/nft-ipv6.c | 12 ++++++++++-- iptables/nft-shared.c | 15 +++++++-------- iptables/nft-shared.h | 5 +++-- iptables/nft.c | 11 +++++++---- 6 files changed, 44 insertions(+), 24 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 562a1a2..8c06243 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -599,12 +599,6 @@ static void nft_arp_save_firewall(const void *data, print_fw_details((struct arpt_entry *)fw, format); - if (!(format & FMT_NOCOUNTS)) { - printf("-c "); - xtables_print_num(fw->counters.pcnt, format); - xtables_print_num(fw->counters.bcnt, format); - } - target = get_target((struct arpt_entry *)fw, format); if (target) { @@ -680,6 +674,13 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nft_rule *r, return true; } +static void nft_arp_save_counters(const void *data) +{ + const struct arpt_entry *fw = data; + + save_counters(fw->counters.pcnt, fw->counters.bcnt); +} + struct nft_family_ops nft_family_ops_arp = { .add = nft_arp_add, .is_same = nft_arp_is_same, @@ -689,6 +690,7 @@ struct nft_family_ops nft_family_ops_arp = { .parse_immediate = nft_arp_parse_immediate, .print_firewall = nft_arp_print_firewall, .save_firewall = nft_arp_save_firewall, + .save_counters = nft_arp_save_counters, .post_parse = NULL, .rule_find = nft_arp_rule_find, .parse_target = nft_arp_parse_target, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index d05e80e..33bc581 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -315,8 +315,7 @@ static void nft_ipv4_save_firewall(const void *data, unsigned int format) save_firewall_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto, cs->fw.ip.iniface, cs->fw.ip.iniface_mask, - cs->fw.ip.outiface, cs->fw.ip.outiface_mask, - format); + cs->fw.ip.outiface, cs->fw.ip.outiface_mask); if (cs->fw.ip.flags & IPT_F_FRAG) { if (cs->fw.ip.invflags & IPT_INV_FRAG) @@ -409,6 +408,13 @@ static bool nft_ipv4_rule_find(struct nft_family_ops *ops, return nft_ipv46_rule_find(ops, r, cs); } +static void nft_ipv4_save_counters(const void *data) +{ + const struct iptables_command_state *cs = data; + + save_counters(cs->counters.pcnt, cs->counters.bcnt); +} + struct nft_family_ops nft_family_ops_ipv4 = { .add = nft_ipv4_add, .is_same = nft_ipv4_is_same, @@ -417,6 +423,7 @@ struct nft_family_ops nft_family_ops_ipv4 = { .parse_immediate = nft_ipv4_parse_immediate, .print_firewall = nft_ipv4_print_firewall, .save_firewall = nft_ipv4_save_firewall, + .save_counters = nft_ipv4_save_counters, .proto_parse = nft_ipv4_proto_parse, .post_parse = nft_ipv4_post_parse, .parse_target = nft_ipv4_parse_target, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index f08598a..00f1bf8 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -222,8 +222,8 @@ static void nft_ipv6_save_firewall(const void *data, unsigned int format) save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto, cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask, - cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask, - format); + cs->fw6.ipv6.outiface, + cs->fw6.ipv6.outiface_mask); save_ipv6_addr('s', &cs->fw6.ipv6.src, cs->fw6.ipv6.invflags & IPT_INV_SRCIP); @@ -330,6 +330,13 @@ static bool nft_ipv6_rule_find(struct nft_family_ops *ops, return nft_ipv46_rule_find(ops, r, cs); } +static void nft_ipv6_save_counters(const void *data) +{ + const struct iptables_command_state *cs = data; + + save_counters(cs->counters.pcnt, cs->counters.bcnt); +} + struct nft_family_ops nft_family_ops_ipv6 = { .add = nft_ipv6_add, .is_same = nft_ipv6_is_same, @@ -338,6 +345,7 @@ struct nft_family_ops nft_family_ops_ipv6 = { .parse_immediate = nft_ipv6_parse_immediate, .print_firewall = nft_ipv6_print_firewall, .save_firewall = nft_ipv6_save_firewall, + .save_counters = nft_ipv6_save_counters, .proto_parse = nft_ipv6_proto_parse, .post_parse = nft_ipv6_post_parse, .parse_target = nft_ipv6_parse_target, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 3f018fb..deb2783 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -589,15 +589,8 @@ void save_firewall_details(const struct iptables_command_state *cs, const char *iniface, unsigned const char *iniface_mask, const char *outiface, - unsigned const char *outiface_mask, - unsigned int format) + unsigned const char *outiface_mask) { - if (!(format & FMT_NOCOUNTS)) { - printf("-c "); - xtables_print_num(cs->counters.pcnt, format); - xtables_print_num(cs->counters.bcnt, format); - } - if (iniface != NULL) { print_iface('i', iniface, iniface_mask, invflags & IPT_INV_VIA_IN); @@ -620,6 +613,12 @@ void save_firewall_details(const struct iptables_command_state *cs, } } +void save_counters(uint64_t pcnt, uint64_t bcnt) +{ + printf("[%llu:%llu] ", (unsigned long long)pcnt, + (unsigned long long)bcnt); +} + void save_matches_and_target(struct xtables_rule_match *m, struct xtables_target *target, const char *jumpto, uint8_t flags, const void *fw) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 145f19d..1c06b5f 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -50,6 +50,7 @@ struct nft_family_ops { void (*print_firewall)(struct nft_rule *r, unsigned int num, unsigned int format); void (*save_firewall)(const void *data, unsigned int format); + void (*save_counters)(const void *data); void (*proto_parse)(struct iptables_command_state *cs, struct xtables_args *args); void (*post_parse)(int command, struct iptables_command_state *cs, @@ -115,8 +116,8 @@ void save_firewall_details(const struct iptables_command_state *cs, const char *iniface, unsigned const char *iniface_mask, const char *outiface, - unsigned const char *outiface_mask, - unsigned int format); + unsigned const char *outiface_mask); +void save_counters(uint64_t pcnt, uint64_t bcnt); void save_matches_and_target(struct xtables_rule_match *m, struct xtables_target *target, const char *jumpto, diff --git a/iptables/nft.c b/iptables/nft.c index f3ec526..489869b 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -911,8 +911,8 @@ int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes) if (expr == NULL) return -ENOMEM; - nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, packets); - nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, bytes); + nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, packets); + nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, bytes); nft_rule_add_expr(r, expr); @@ -1020,6 +1020,11 @@ nft_rule_print_save(const void *data, int family = nft_rule_attr_get_u32(r, NFT_RULE_ATTR_FAMILY); struct nft_family_ops *ops; + ops = nft_family_ops_lookup(family); + + if (!(format & FMT_NOCOUNTS) && ops->save_counters) + ops->save_counters(data); + /* print chain name */ switch(type) { case NFT_RULE_APPEND: @@ -1030,8 +1035,6 @@ nft_rule_print_save(const void *data, break; } - ops = nft_family_ops_lookup(family); - if (ops->save_firewall) ops->save_firewall(data, format); -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html