By default base chains are printed using default hook priority
definitions. Add -y option to print them as numbers.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
doc/libnftables.adoc | 3 +++
doc/nft.txt | 4 ++++
include/nftables.h | 5 +++++
include/nftables/libnftables.h | 1 +
src/main.c | 11 ++++++++++-
src/rule.c | 11 ++++++-----
6 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index dc3299f037df..788194396db1 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -92,6 +92,7 @@ enum {
NFT_CTX_OUTPUT_ECHO = (1 << 5),
NFT_CTX_OUTPUT_GUID = (1 << 6),
NFT_CTX_OUTPUT_NUMERIC_PROTO = (1 << 7),
+ NFT_CTX_OUTPUT_NUMERIC_PRIO = (1 << 8),
};
----
@@ -122,6 +123,8 @@ The *nft_ctx_output_get_flags*() function returns the output flags setting's val
The *nft_ctx_output_set_flags*() function sets the output flags setting in 'ctx' to the value of 'val'.
NFT_CTX_OUTPUT_NUMERIC_PROTO::
Display layer 4 protocol numerically.
+NFT_CTX_OUTPUT_NUMERIC_PRIO::
+ Display base chain priority numerically.
=== nft_ctx_output_get_numeric() and nft_ctx_output_set_numeric()
These functions allow control over value representation in library output.
diff --git a/doc/nft.txt b/doc/nft.txt
index 4ef8c5b3506f..5ee06f16f642 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -60,6 +60,10 @@ For a full summary of options, run *nft --help*.
*--numeric-protocol**::
Display layer 4 protocol numerically.
+*-y*::
+*--numeric-priority**::
+ Display base chain priority numerically.
+
*-c*::
*--check*::
Check commands validity without actually applying the changes.
diff --git a/include/nftables.h b/include/nftables.h
index 8f483bf84ff6..1b31da034254 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -82,6 +82,11 @@ static inline bool nft_output_numeric_proto(const struct output_ctx *octx)
return octx->flags & NFT_CTX_OUTPUT_NUMERIC_PROTO;
}
+static inline bool nft_output_numeric_priority(const struct output_ctx *octx)
+{
+ return octx->flags & NFT_CTX_OUTPUT_NUMERIC_PRIO;
+}
+
struct nft_cache {
uint16_t genid;
struct list_head list;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 74f2dabbd1d5..fb81edc0df07 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -53,6 +53,7 @@ enum {
NFT_CTX_OUTPUT_ECHO = (1 << 5),
NFT_CTX_OUTPUT_GUID = (1 << 6),
NFT_CTX_OUTPUT_NUMERIC_PROTO = (1 << 7),
+ NFT_CTX_OUTPUT_NUMERIC_PRIO = (1 << 8),
};
unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);
diff --git a/src/main.c b/src/main.c
index 70bde253495e..2aec3458f956 100644
--- a/src/main.c
+++ b/src/main.c
@@ -41,10 +41,11 @@ enum opt_vals {
OPT_ECHO = 'e',
OPT_GUID = 'u',
OPT_NUMERIC_PROTO = 'p',
+ OPT_NUMERIC_PRIO = 'y',
OPT_INVALID = '?',
};
-#define OPTSTRING "hvcf:iI:jvnsNaeSup"
+#define OPTSTRING "hvcf:iI:jvnsNaeSupy"
static const struct option options[] = {
{
@@ -115,6 +116,10 @@ static const struct option options[] = {
.val = OPT_NUMERIC_PROTO,
},
{
+ .name = "numeric-priority",
+ .val = OPT_NUMERIC_PRIO,
+ },
+ {
.name = NULL
}
};
@@ -141,6 +146,7 @@ static void show_help(const char *name)
" -N Translate IP addresses to names.\n"
" -S, --service Translate ports to service names as described in /etc/services.\n"
" -p, --numeric-protocol Print layer 4 protocols numerically.\n"
+" -y, --numeric-priority Print chain priority numerically.\n"
" -a, --handle Output rule handle.\n"
" -e, --echo Echo what has been added, inserted or replaced.\n"
" -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: %s\n"
@@ -294,6 +300,9 @@ int main(int argc, char * const *argv)
case OPT_NUMERIC_PROTO:
output_flags |= NFT_CTX_OUTPUT_NUMERIC_PROTO;
break;
+ case OPT_NUMERIC_PRIO:
+ output_flags |= NFT_CTX_OUTPUT_NUMERIC_PRIO;
+ break;
case OPT_INVALID:
exit(EXIT_FAILURE);
}
diff --git a/src/rule.c b/src/rule.c
index 33cbf0e2e9bb..e0082c1f5a93 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -946,7 +946,8 @@ int std_prio_lookup(const char *std_prio_name, int family, int hook)
return NF_IP_PRI_LAST;
}
-static const char *prio2str(char *buf, size_t bufsize, int family, int hook,
+static const char *prio2str(const struct output_ctx *octx,
+ char *buf, size_t bufsize, int family, int hook,
int prio, int numeric)
{
const struct prio_tag *prio_arr;
@@ -963,7 +964,7 @@ static const char *prio2str(char *buf, size_t bufsize, int family, int hook,
arr_size = array_size(std_prios);
}
- if (numeric != NFT_NUMERIC_ALL) {
+ if (!nft_output_numeric_priority(octx)) {
for (i = 0; i < arr_size; ++i) {
std_prio = prio_arr[i].val;
std_prio_str = prio_arr[i].str;
@@ -1004,7 +1005,7 @@ static void chain_print_declaration(const struct chain *chain,
if (chain->dev != NULL)
nft_print(octx, " device %s", chain->dev);
nft_print(octx, " priority %s; policy %s;\n",
- prio2str(priobuf, sizeof(priobuf),
+ prio2str(octx, priobuf, sizeof(priobuf),
chain->handle.family, chain->hooknum,
chain->priority.num, octx->numeric),
chain_policy2str(chain->policy));
@@ -1035,7 +1036,7 @@ void chain_print_plain(const struct chain *chain, struct output_ctx *octx)
if (chain->flags & CHAIN_F_BASECHAIN) {
nft_print(octx, " { type %s hook %s priority %s; policy %s; }",
chain->type, chain->hookstr,
- prio2str(priobuf, sizeof(priobuf),
+ prio2str(octx, priobuf, sizeof(priobuf),
chain->handle.family, chain->hooknum,
chain->priority.num, octx->numeric),
chain_policy2str(chain->policy));
@@ -1950,7 +1951,7 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
nft_print(octx, "%s%shook %s priority %s%s",
opts->tab, opts->tab,
hooknum2str(NFPROTO_NETDEV, flowtable->hooknum),
- prio2str(priobuf, sizeof(priobuf), NFPROTO_NETDEV,
+ prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV,
flowtable->hooknum, flowtable->priority.num,
octx->numeric),
opts->stmt_separator);
--
2.11.0
