Hi Arturo,
Cc'ing JP Pozzi, he also filed a bug into netfilter bugzilla that is
related to this.
Several comments below.
On Tue, Sep 22, 2015 at 02:06:25PM +0200, Arturo Borrero Gonzalez wrote:
> Hi!
>
> It seems all chains of a given table are always listed. Is this the
> intended behaviour?
>
> % sudo nft list table test
> table ip test {
> chain test1 {
> }
>
> chain test2 {
> }
> }
>
> % sudo nft list chain test test1
> table ip test {
> chain test1 {
> }
>
> chain test2 {
> }
> }
>
> % sudo nft list chain test test2
> table ip test {
> chain test1 {
> }
>
> chain test2 {
> }
> }
I went back to the bugzilla report I thought it was indicating exactly
the same thing. However, it's actually pointing to a different
(related) thing:
http://bugzilla.netfilter.org/show_bug.cgi?id=1014
JP suggests that the chain listing only displays the chain content,
ie. only the rules. I understand he wants to use the list command to
filter out things when the ruleset contains *many things* which sounds
quite reasonable, something like:
# nft list chain test test1
chain test1 {
type filter hook input priority 0; policy drop;
counter accept
}
# nft list chain test test2
chain test2 {
type filter hook input priority 0; policy drop;
counter accept
}
To get things aligned with what we have, we should also have a some
way to list the chain definitions only:
# nft list chains
table ip filter {
chain test1 {
type filter hook input priority 0; policy drop;
}
chain test2 {
type filter hook input priority 0; policy drop;
}
}
table ip6 filter {
chain test1 {
type filter hook input priority 0; policy drop;
}
}
The listing shows *no content*, only the chain declarations, no rules.
Then, if you want to zoom in into the chain content, you can do:
# nft list chain test test1
chain test1 {
type filter hook input priority 0; policy drop;
counter accept
}
We should also get this aligned with 'nft list ruleset' so:
# nft list chains ip6
table ip6 filter {
chain test1 {
type filter hook input priority 0; policy drop;
}
}
Only shows the chains under the ip6 family.
Then, we can fix `nft list sets' to display things like this:
# nft list sets
table ip filter {
set test {
type ipv4_addr
}
set test2 {
type ipv4_addr
}
}
table ip6 filter {
set test {
type ipv6_addr
}
}
Again, with no content (no elements), so you have to use:
# nft list set ip filter test
to zoom in and get the element listing.
Then, also support to filter out by family:
# nft list sets ip6
table ip6 filter {
set test {
type ipv6_addr
}
}
Does this look good to you?
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
