Add NFT_CTX_OUTPUT_ECHO flag and echo the command that has been send to the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- doc/libnftables.adoc | 15 +++------------ include/nftables/libnftables.h | 1 + src/libnftables.c | 10 ---------- src/main.c | 2 +- src/mnl.c | 2 +- src/monitor.c | 2 +- src/rule.c | 4 ++-- 7 files changed, 9 insertions(+), 27 deletions(-) diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc index 5a3562c3266c..28a43abb4a4e 100644 --- a/doc/libnftables.adoc +++ b/doc/libnftables.adoc @@ -28,9 +28,6 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*, unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*); -bool nft_ctx_output_get_echo(struct nft_ctx* '\*ctx'*); -void nft_ctx_output_set_echo(struct nft_ctx* '\*ctx'*, bool* 'val'*); - FILE *nft_ctx_set_output(struct nft_ctx* '\*ctx'*, FILE* '\*fp'*); int nft_ctx_buffer_output(struct nft_ctx* '\*ctx'*); int nft_ctx_unbuffer_output(struct nft_ctx* '\*ctx'*); @@ -92,6 +89,7 @@ enum { NFT_CTX_OUTPUT_STATELESS = (1 << 2), NFT_CTX_OUTPUT_HANDLE = (1 << 3), NFT_CTX_OUTPUT_JSON = (1 << 4), + NFT_CTX_OUTPUT_ECHO = (1 << 5), }; ---- @@ -105,6 +103,8 @@ NFT_CTX_OUTPUT_HANDLE:: Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes. For example, when deleting a table or chain, it may be identified either by name or handle. Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them. These functions allow to control whether ruleset listings should include handles or not. NFT_CTX_OUTPUT_JSON:: If enabled at compile-time, libnftables accepts input in JSON format and is able to print output in JSON format as well. See *libnftables-json*(5) for a description of the supported schema. These functions control JSON output format, input is auto-detected. +NFT_CTX_OUTPUT_ECHO:: + The echo setting makes libnftables print the changes once they are committed to the kernel, just like a running instance of *nft monitor* would. Amongst other things, this allows to retrieve an added rule's handle atomically. The *nft_ctx_output_get_flags*() function returns the output flags setting's value in 'ctx'. @@ -177,15 +177,6 @@ The *nft_ctx_output_get_debug*() function returns the debug output setting's val The *nft_ctx_output_set_debug*() function sets the debug output setting in 'ctx' to the value of 'mask'. -=== nft_ctx_output_get_echo() and nft_ctx_output_set_echo() -The echo setting makes libnftables print the changes once they are committed to the kernel, just like a running instance of *nft monitor* would. -Amongst other things, this allows to retrieve an added rule's handle atomically. -The default setting is *false*. - -The *nft_ctx_output_get_echo*() function returns the echo output setting's value in 'ctx'. - -The *nft_ctx_output_set_echo*() function sets the echo output setting in 'ctx' to the value of 'val'. - === Controlling library standard and error output By default, any output from the library (e.g., after a *list* command) is written to 'stdout' and any error messages are written to 'stderr'. To give applications control over them, there are functions to assign custom file pointers as well as having the library buffer what would be written for later retrieval in a static buffer. diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 35374072560e..5ee50c689374 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -50,6 +50,7 @@ enum { NFT_CTX_OUTPUT_STATELESS = (1 << 2), NFT_CTX_OUTPUT_HANDLE = (1 << 3), NFT_CTX_OUTPUT_JSON = (1 << 4), + NFT_CTX_OUTPUT_ECHO = (1 << 5), }; unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx); diff --git a/src/libnftables.c b/src/libnftables.c index e58f3583476f..bd1cad472fca 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -342,16 +342,6 @@ void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask) ctx->debug_mask = mask; } -bool nft_ctx_output_get_echo(struct nft_ctx *ctx) -{ - return ctx->output.echo; -} - -void nft_ctx_output_set_echo(struct nft_ctx *ctx, bool val) -{ - ctx->output.echo = val; -} - static const struct input_descriptor indesc_cmdline = { .type = INDESC_BUFFER, .name = "<cmdline>", diff --git a/src/main.c b/src/main.c index 2f4d96dad0b1..d7725b71eb98 100644 --- a/src/main.c +++ b/src/main.c @@ -268,7 +268,7 @@ int main(int argc, char * const *argv) output_flags |= NFT_CTX_OUTPUT_HANDLE; break; case OPT_ECHO: - nft_ctx_output_set_echo(nft, true); + output_flags |= NFT_CTX_OUTPUT_ECHO; break; case OPT_JSON: output_flags |= NFT_CTX_OUTPUT_JSON; diff --git a/src/mnl.c b/src/mnl.c index 951e510ba78c..5c3e81cabf28 100644 --- a/src/mnl.c +++ b/src/mnl.c @@ -350,7 +350,7 @@ int mnl_nft_rule_replace(struct netlink_ctx *ctx, const struct cmd *cmd) struct nlmsghdr *nlh; int err; - if (ctx->nft->output.echo) { + if (ctx->nft->flags & NFT_CTX_OUTPUT_ECHO) { err = cache_update(ctx->nft, CMD_INVALID, ctx->msgs); if (err < 0) return err; diff --git a/src/monitor.c b/src/monitor.c index 14ccbc5fe04c..5658de50a6f4 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -905,7 +905,7 @@ int netlink_echo_callback(const struct nlmsghdr *nlh, void *data) .cache_needed = true, }; - if (!echo_monh.ctx->nft->output.echo) + if (!(echo_monh.ctx->nft->output.flags & NFT_CTX_OUTPUT_ECHO)) return MNL_CB_OK; return netlink_events_cb(nlh, &echo_monh); diff --git a/src/rule.c b/src/rule.c index 2bc055cc95a8..8ccaec8391c8 100644 --- a/src/rule.c +++ b/src/rule.c @@ -1388,7 +1388,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) { uint32_t flags = excl ? NLM_F_EXCL : 0; - if (ctx->nft->output.echo) { + if (ctx->nft->output.flags & NFT_CTX_OUTPUT_ECHO) { int ret; ret = cache_update(ctx->nft, cmd->obj, ctx->msgs); @@ -1439,7 +1439,7 @@ static int do_command_insert(struct netlink_ctx *ctx, struct cmd *cmd) { uint32_t flags = 0; - if (ctx->nft->output.echo) { + if (ctx->nft->output.flags & NFT_CTX_OUTPUT_ECHO) { int ret; ret = cache_update(ctx->nft, cmd->obj, ctx->msgs); -- 2.11.0