Re: [nft PATCH v2] List handles of added rules if requested

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, May 08, 2017 at 07:31:09PM +0200, Pablo Neira Ayuso wrote:
> On Fri, May 05, 2017 at 04:33:23PM +0200, Phil Sutter wrote:
> > Being able to retrieve an added rule's handle atomically is a crucial
> > feature for scripts invoking nft command: Without it, there is no way to
> > be sure a handle extracted from 'nft list ruleset' command actually
> > refers to the rule one has added before or that of another process which
> > ran in between.
> > 
> > Extracting an added rule's handle itself is not an easy task already,
> > since there is a chance that a given rule is printed differently than
> > when it was added before. A simple example is port number vs. service
> > name:
> > 
> > | nft add rule ip t c tcp dport { ssh, 80 } accept
> > 
> > There is no way to make 'nft list ruleset' return the rule just like
> > this as depending on whether '-nn' was given or not, it either prints
> > the set as '{ ssh, http }' or '{ 22, 80 }' but never in the mixed form
> > that was used when adding it.
> > 
> > This patch prints an identifying string for each added rule which may be
> > used as single parameter to a later 'nft delete rule' command. So a
> > simple scripting example looks like this:
> > 
> > | handle=$(nft add rule ip t c counter)
> > | ...
> > | nft delete rule $handle
> > 
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > Changes since v1:
> > - Pass NLM_F_ECHO to kernel to leverage already existing reporting
> >   infrastructure and therefore not require a seperate kernel patch.
> > - Limit mnl_callback() action to NEWRULE messages - when replacing a
> >   rule, it would otherwise print the deleted rule as well.
> 
> This does not work for nft -i.

It does, if I pass '-a' along with '-i':

| % sudo ./src/nft -i -a
| nft> replace rule ip t c handle 2 counter accept
| ip t c handle 2
| nft> 

Or should this behave differently then in your opinion?

Thanks, Phil
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux