Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- doc/libnftables.adoc | 14 +++++++------- include/nftables.h | 2 +- include/nftables/libnftables.h | 10 ++++++++-- src/datatype.c | 10 +++++----- src/libnftables.c | 8 ++++---- src/main.c | 25 +++++++++++++++++++++++-- 6 files changed, 48 insertions(+), 21 deletions(-) diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc index adfc94205a8a..0387652fa3c1 100644 --- a/doc/libnftables.adoc +++ b/doc/libnftables.adoc @@ -25,8 +25,8 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*, bool nft_ctx_output_get_stateless(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_stateless(struct nft_ctx* '\*ctx'*, bool* 'val'*); -bool nft_ctx_output_get_ip2name(struct nft_ctx* '\*ctx'*); -void nft_ctx_output_set_ip2name(struct nft_ctx* '\*ctx'*, bool* 'val'*); +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx* '\*ctx'*); +void nft_ctx_output_set_literal(struct nft_ctx* '\*ctx'*, bool* 'val'*); unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*); @@ -133,14 +133,14 @@ The *nft_ctx_output_get_stateless*() function returns the stateless output setti The *nft_ctx_output_set_stateless*() function sets the stateless output setting in 'ctx' to the value of 'val'. -=== nft_ctx_output_get_ip2name() and nft_ctx_output_set_ip2name() -The ip2name setting controls whether reverse DNS lookups are performed for IP addresses when printing them. +=== nft_ctx_output_get_literal() and nft_ctx_output_set_literal() +The literal setting controls whether reverse DNS lookups are performed for IP addresses when printing them. Note that this may add significant delay to *list* commands depending on DNS resolver speed. -The default setting is *false*. +The default setting is *NFT_LITERAL_NONE*. -The *nft_ctx_output_get_ip2name*() function returns the ip2name output setting's value in 'ctx'. +The *nft_ctx_output_get_literal*() function returns the literal output setting's value in 'ctx'. -The *nft_ctx_output_set_ip2name*() function sets the ip2name output setting in 'ctx' to the value of 'val'. +The *nft_ctx_output_set_literal*() function sets the literal output setting in 'ctx' to the value of 'val'. === nft_ctx_output_get_debug() and nft_ctx_output_set_debug() Libnftables supports separate debugging of different parts of its internals. diff --git a/include/nftables.h b/include/nftables.h index 5e209b417d5a..25e78c80df7e 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -18,7 +18,7 @@ struct cookie { struct output_ctx { unsigned int numeric; unsigned int stateless; - unsigned int ip2name; + unsigned int literal; unsigned int handle; unsigned int echo; unsigned int json; diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 13ec39273581..dee099f279c1 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -33,6 +33,12 @@ enum nft_numeric_level { NFT_NUMERIC_ALL, }; +enum nft_literal_level { + NFT_LITERAL_NONE, + NFT_LITERAL_PORT, + NFT_LITERAL_ADDR, +}; + /** * Possible flags to pass to nft_ctx_new() */ @@ -47,8 +53,8 @@ enum nft_numeric_level nft_ctx_output_get_numeric(struct nft_ctx *ctx); void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level); bool nft_ctx_output_get_stateless(struct nft_ctx *ctx); void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val); -bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx); -void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val); +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx); +void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val); unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx); void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask); bool nft_ctx_output_get_handle(struct nft_ctx *ctx); diff --git a/src/datatype.c b/src/datatype.c index 209044539bb8..fbc3ac35da4d 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -454,7 +454,7 @@ static void ipaddr_type_print(const struct expr *expr, struct output_ctx *octx) sin.sin_addr.s_addr = mpz_get_be32(expr->value); err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf, sizeof(buf), NULL, 0, - octx->ip2name ? 0 : NI_NUMERICHOST); + octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST); if (err != 0) { getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); @@ -512,7 +512,7 @@ static void ip6addr_type_print(const struct expr *expr, struct output_ctx *octx) err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf, sizeof(buf), NULL, 0, - octx->ip2name ? 0 : NI_NUMERICHOST); + octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST); if (err != 0) { getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); @@ -617,11 +617,11 @@ const struct datatype inet_protocol_type = { static void inet_service_type_print(const struct expr *expr, struct output_ctx *octx) { - if (octx->numeric >= NFT_NUMERIC_PORT) { - integer_type_print(expr, octx); + if (octx->literal == NFT_LITERAL_PORT) { + symbolic_constant_print(&inet_service_tbl, expr, false, octx); return; } - symbolic_constant_print(&inet_service_tbl, expr, false, octx); + integer_type_print(expr, octx); } static struct error_record *inet_service_type_parse(const struct expr *sym, diff --git a/src/libnftables.c b/src/libnftables.c index 9a97a3c5342f..656b0a1c3f98 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -336,14 +336,14 @@ void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val) ctx->output.stateless = val; } -bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx) +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx) { - return ctx->output.ip2name; + return ctx->output.literal; } -void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val) +void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val) { - ctx->output.ip2name = val; + ctx->output.literal = val; } unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx) diff --git a/src/main.c b/src/main.c index b2966a41e14f..792136f527d9 100644 --- a/src/main.c +++ b/src/main.c @@ -35,13 +35,14 @@ enum opt_vals { OPT_NUMERIC = 'n', OPT_STATELESS = 's', OPT_IP2NAME = 'N', + OPT_LITERAL = 'l', OPT_DEBUG = 'd', OPT_HANDLE_OUTPUT = 'a', OPT_ECHO = 'e', OPT_INVALID = '?', }; -#define OPTSTRING "hvcf:iI:jvnsNae" +#define OPTSTRING "hvcf:iI:jvnsNael" static const struct option options[] = { { @@ -78,6 +79,10 @@ static const struct option options[] = { .val = OPT_IP2NAME, }, { + .name = "literal", + .val = OPT_LITERAL, + }, + { .name = "includepath", .val = OPT_INCLUDEPATH, .has_arg = 1, @@ -173,6 +178,7 @@ int main(int argc, char * const *argv) { char *buf = NULL, *filename = NULL; enum nft_numeric_level numeric; + enum nft_literal_level literal; bool interactive = false; unsigned int debug_mask; unsigned int len; @@ -224,7 +230,22 @@ int main(int argc, char * const *argv) nft_ctx_output_set_stateless(nft, true); break; case OPT_IP2NAME: - nft_ctx_output_set_ip2name(nft, true); + literal = nft_ctx_output_get_literal(nft); + if (literal + 2 > NFT_LITERAL_ADDR) { + fprintf(stderr, "Cannot combine `-N' with `-l'\n"); + exit(EXIT_FAILURE); + } + nft_ctx_output_set_literal(nft, literal + 2); + break; + case OPT_LITERAL: + literal = nft_ctx_output_get_literal(nft); + if (literal + 1 > NFT_LITERAL_ADDR) { + fprintf(stderr, "Too many `-l' options or " + "perhaps you combined `-l' " + "with `-N'?\n"); + exit(EXIT_FAILURE); + } + nft_ctx_output_set_literal(nft, literal + 1); break; case OPT_DEBUG: debug_mask = nft_ctx_output_get_debug(nft); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html