Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@xxxxxxxxx>
---
doc/nft.xml | 11 +++++++++++
include/nftables.h | 1 +
src/main.c | 14 ++++++++++++--
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index e9ccd63..970acb5 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -52,6 +52,9 @@ vi:ts=4 sw=4
<option>-s | --stateless</option>
</arg>
<arg choice="opt">
+ <option>-c | --check</option>
+ </arg>
+ <arg choice="opt">
<option>[-I | --includepath]</option>
<replaceable>directory</replaceable>
</arg>
@@ -130,6 +133,14 @@ vi:ts=4 sw=4
</listitem>
</varlistentry>
<varlistentry>
+ <term><option>-c, --check</option></term>
+ <listitem>
+ <para>
+ Check commands validity without actually applying the changes.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><option>-N</option></term>
<listitem>
<para>
diff --git a/include/nftables.h b/include/nftables.h
index dbd4637..26fd344 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -33,6 +33,7 @@ struct output_ctx {
struct nft_ctx {
struct output_ctx output;
+ bool check;
};
extern unsigned int max_errors;
diff --git a/src/main.c b/src/main.c
index 16a01f3..849b3bf 100644
--- a/src/main.c
+++ b/src/main.c
@@ -40,6 +40,7 @@ static unsigned int num_include_paths = 1;
enum opt_vals {
OPT_HELP = 'h',
OPT_VERSION = 'v',
+ OPT_CHECK = 'c',
OPT_FILE = 'f',
OPT_INTERACTIVE = 'i',
OPT_INCLUDEPATH = 'I',
@@ -51,7 +52,7 @@ enum opt_vals {
OPT_INVALID = '?',
};
-#define OPTSTRING "hvf:iI:vnsNa"
+#define OPTSTRING "hvcf:iI:vnsNa"
static const struct option options[] = {
{
@@ -63,6 +64,10 @@ static const struct option options[] = {
.val = OPT_VERSION,
},
{
+ .name = "check",
+ .val = OPT_CHECK,
+ },
+ {
.name = "file",
.val = OPT_FILE,
.has_arg = 1,
@@ -113,6 +118,7 @@ static void show_help(const char *name)
" -h, --help Show this help\n"
" -v, --version Show version information\n"
"\n"
+" -c --check Check commands validity without actually applying the changes.\n"
" -f, --file <filename> Read input from <filename>\n"
" -i, --interactive Read input from interactive CLI\n"
"\n"
@@ -202,7 +208,8 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs,
if (ret < 0)
goto out;
}
- mnl_batch_end(batch);
+ if (!nft->check)
+ mnl_batch_end(batch);
if (!mnl_batch_ready(batch))
goto out;
@@ -278,6 +285,9 @@ int main(int argc, char * const *argv)
printf("%s v%s (%s)\n",
PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
exit(NFT_EXIT_SUCCESS);
+ case OPT_CHECK:
+ nft.check = true;
+ break;
case OPT_FILE:
filename = optarg;
break;
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
