Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify
objects from new output flags interface.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
v2: Add nft_output_handle()
Fix missing conversion to use NFT_CTX_OUTPUT_HANDLE.
Remove handle field from struct output_ctx.
doc/libnftables.adoc | 17 +++--------------
include/nftables.h | 6 +++++-
include/nftables/libnftables.h | 3 +--
src/libnftables.c | 10 ----------
src/main.c | 2 +-
src/monitor.c | 2 +-
src/rule.c | 22 +++++++++++-----------
7 files changed, 22 insertions(+), 40 deletions(-)
diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index c837c2d251bc..8b7aee9af134 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -28,9 +28,6 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*,
unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*);
void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*);
-bool nft_ctx_output_get_handle(struct nft_ctx* '\*ctx'*);
-void nft_ctx_output_set_handle(struct nft_ctx* '\*ctx'*, bool* 'val'*);
-
bool nft_ctx_output_get_echo(struct nft_ctx* '\*ctx'*);
void nft_ctx_output_set_echo(struct nft_ctx* '\*ctx'*, bool* 'val'*);
@@ -96,6 +93,7 @@ enum {
NFT_CTX_OUTPUT_REVERSEDNS = (1 << 0),
NFT_CTX_OUTPUT_SERVICE = (1 << 1),
NFT_CTX_OUTPUT_STATELESS = (1 << 2),
+ NFT_CTX_OUTPUT_HANDLE = (1 << 3),
};
----
@@ -105,6 +103,8 @@ NFT_CTX_OUTPUT_SERVICE::
Print port numbers as services as described in the /etc/services file.
NFT_CTX_OUTPUT_STATELESS::
If stateless output has been requested then stateful data is not printed. Stateful data refers to those objects that carry run-time data, eg. the *counter* statement holds packet and byte counter values, making it stateful.
+NFT_CTX_OUTPUT_HANDLE::
+ Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes. For example, when deleting a table or chain, it may be identified either by name or handle. Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them. These functions allow to control whether ruleset listings should include handles or not.
The *nft_ctx_output_get_flags*() function returns the output flags setting's value in 'ctx'.
@@ -177,17 +177,6 @@ The *nft_ctx_output_get_debug*() function returns the debug output setting's val
The *nft_ctx_output_set_debug*() function sets the debug output setting in 'ctx' to the value of 'mask'.
-=== nft_ctx_output_get_handle() and nft_ctx_output_set_handle()
-Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes.
-For example, when deleting a table or chain, it may be identified either by name or handle.
-Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them.
-These functions allow to control whether ruleset listings should include handles or not.
-The default setting is *false*.
-
-The *nft_ctx_output_get_handle*() function returns the handle output setting's value in 'ctx'.
-
-The *nft_ctx_output_set_handle*() function sets the handle output setting in 'ctx' to the value of 'val'.
-
=== nft_ctx_output_get_echo() and nft_ctx_output_set_echo()
The echo setting makes libnftables print the changes once they are committed to the kernel, just like a running instance of *nft monitor* would.
Amongst other things, this allows to retrieve an added rule's handle atomically.
diff --git a/include/nftables.h b/include/nftables.h
index cb36e06633e9..e0e7a1135406 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -18,7 +18,6 @@ struct cookie {
struct output_ctx {
unsigned int flags;
unsigned int numeric;
- unsigned int handle;
unsigned int echo;
unsigned int json;
union {
@@ -46,6 +45,11 @@ static inline bool nft_output_stateless(const struct output_ctx *octx)
return octx->flags & NFT_CTX_OUTPUT_STATELESS;
}
+static inline bool nft_output_handle(const struct output_ctx *octx)
+{
+ return octx->flags & NFT_CTX_OUTPUT_HANDLE;
+}
+
struct nft_cache {
uint16_t genid;
struct list_head list;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 4f1c10901b1b..a6ce938305c3 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -48,6 +48,7 @@ enum {
NFT_CTX_OUTPUT_REVERSEDNS = (1 << 0),
NFT_CTX_OUTPUT_SERVICE = (1 << 1),
NFT_CTX_OUTPUT_STATELESS = (1 << 2),
+ NFT_CTX_OUTPUT_HANDLE = (1 << 3),
};
unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);
@@ -57,8 +58,6 @@ enum nft_numeric_level nft_ctx_output_get_numeric(struct nft_ctx *ctx);
void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level);
unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx);
void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask);
-bool nft_ctx_output_get_handle(struct nft_ctx *ctx);
-void nft_ctx_output_set_handle(struct nft_ctx *ctx, bool val);
bool nft_ctx_output_get_echo(struct nft_ctx *ctx);
void nft_ctx_output_set_echo(struct nft_ctx *ctx, bool val);
bool nft_ctx_output_get_json(struct nft_ctx *ctx);
diff --git a/src/libnftables.c b/src/libnftables.c
index 35e755e9cc9d..6dc1be3d5ef8 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -342,16 +342,6 @@ void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask)
ctx->debug_mask = mask;
}
-bool nft_ctx_output_get_handle(struct nft_ctx *ctx)
-{
- return ctx->output.handle;
-}
-
-void nft_ctx_output_set_handle(struct nft_ctx *ctx, bool val)
-{
- ctx->output.handle = val;
-}
-
bool nft_ctx_output_get_echo(struct nft_ctx *ctx)
{
return ctx->output.echo;
diff --git a/src/main.c b/src/main.c
index 8bf748a12f73..97b8746608a7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -265,7 +265,7 @@ int main(int argc, char * const *argv)
nft_ctx_output_set_debug(nft, debug_mask);
break;
case OPT_HANDLE_OUTPUT:
- nft_ctx_output_set_handle(nft, true);
+ output_flags |= NFT_CTX_OUTPUT_HANDLE;
break;
case OPT_ECHO:
nft_ctx_output_set_echo(nft, true);
diff --git a/src/monitor.c b/src/monitor.c
index 88a61de4ed9f..9e3c43dcac68 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -214,7 +214,7 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type,
nft_mon_print(monh, "%s %s", family2str(t->handle.family),
t->handle.table.name);
- if (monh->ctx->nft->output.handle > 0)
+ if (nft_output_handle(&monh->ctx->nft->output))
nft_mon_print(monh, " # handle %" PRIu64 "",
t->handle.handle.id);
break;
diff --git a/src/rule.c b/src/rule.c
index 35c60de4a8db..da1bdc44ab69 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -412,7 +412,7 @@ static void set_print_declaration(const struct set *set,
nft_print(octx, " %s {", set->handle.set.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, set->handle.handle.id);
nft_print(octx, "%s", opts->nl);
nft_print(octx, "%s%stype %s",
@@ -567,7 +567,7 @@ void rule_print(const struct rule *rule, struct output_ctx *octx)
if (rule->comment)
nft_print(octx, " comment \"%s\"", rule->comment);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, rule->handle.handle.id);
}
@@ -995,7 +995,7 @@ static void chain_print_declaration(const struct chain *chain,
char priobuf[STD_PRIO_BUFSIZE];
nft_print(octx, "\tchain %s {", chain->handle.chain.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id);
nft_print(octx, "\n");
if (chain->flags & CHAIN_F_BASECHAIN) {
@@ -1040,7 +1040,7 @@ void chain_print_plain(const struct chain *chain, struct output_ctx *octx)
chain->priority.num, octx->numeric),
chain_policy2str(chain->policy));
}
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id);
}
@@ -1137,7 +1137,7 @@ static void table_print(const struct table *table, struct output_ctx *octx)
const char *family = family2str(table->handle.family);
nft_print(octx, "table %s %s {", family, table->handle.table.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, table->handle.handle.id);
nft_print(octx, "\n");
table_print_options(table, &delim, octx);
@@ -1680,7 +1680,7 @@ static void obj_print_data(const struct obj *obj,
switch (obj->type) {
case NFT_OBJECT_COUNTER:
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
if (nft_output_stateless(octx)) {
@@ -1695,7 +1695,7 @@ static void obj_print_data(const struct obj *obj,
uint64_t bytes;
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
data_unit = get_rate(obj->quota.bytes, &bytes);
@@ -1712,14 +1712,14 @@ static void obj_print_data(const struct obj *obj,
break;
case NFT_OBJECT_SECMARK:
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
nft_print(octx, "%s", obj->secmark.ctx);
break;
case NFT_OBJECT_CT_HELPER:
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s", opts->nl);
nft_print(octx, "%s%stype \"%s\" protocol ",
@@ -1733,7 +1733,7 @@ static void obj_print_data(const struct obj *obj,
break;
case NFT_OBJECT_CT_TIMEOUT:
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s", opts->nl);
nft_print(octx, "%s%sprotocol ", opts->tab, opts->tab);
@@ -1752,7 +1752,7 @@ static void obj_print_data(const struct obj *obj,
uint64_t rate;
nft_print(octx, " %s {", obj->handle.obj.name);
- if (octx->handle > 0)
+ if (nft_output_handle(octx))
nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id);
nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab);
switch (obj->limit.type) {
--
2.11.0
