Note that the corresponding API for output flags does not expose the
plain numeric flags. Instead, it exposes the underlying, flag-based C
API more directly.
Reasons:
- a flags property has the benefits that adding new flags is very light
weight. Otherwise, every addition of a flag requires new API. That new
API increases the documentation and what the user needs to understand.
With a flag API, we just need new documentation what the new flag is.
It's already clear how to use it.
- opinionated, also the usage of "many getter/setter API" is not have
better usability. Its convenient when we can do similar things (setting
a boolean flag) depending on an argument of a function, instead of
having different functions.
Compare
ctx.set_reversedns_output(True)
ctx.set_handle_output(True)
with
ctx.ouput_set_flags(NFT_CTX_OUTPUT_REVERSEDNS | NFT_CTX_OUTPUT_HANDLE)
Note that the vast majority of users of this API will just create one
nft_ctx instance and set the flags once. Each user application
probably has only one place where they call the setter once. So
while I think flags have better usability, it doesn't matter much
either way.
- if individual properties are preferable over flags, then the C API
should also do that. In other words, the Python API should be similar
to the underlying C API.
- I don't understand how to do this best. Is Nftables.output_flags
public API? It appears to be, as it has no underscore. Why does this
additional mapping from function (get_reversedns_output()) to name
("reversedns") to number (1<<0) exist?
Downside is the inconsistency with the existing output flags API.
Signed-off-by: Thomas Haller <thaller@xxxxxxxxxx>
---
This is probably a controversial approach :)
py/nftables.py | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/py/nftables.py b/py/nftables.py
index b9fa63bb8789..795700db45ef 100644
--- a/py/nftables.py
+++ b/py/nftables.py
@@ -21,6 +21,16 @@ import os
NFTABLES_VERSION = "0.1"
+"""Prevent blocking DNS lookups for IP addresses.
+
+By default, nftables will try to resolve IP addresses with blocking getaddrinfo() API.
+By setting this flag, only literal IP adddresses are supported in input.
+
+This numeric flag can be passed to Nftables.input_get_flags() and Nftables.input_set_flags().
+"""
+NFT_CTX_INPUT_NO_DNS = 1
+
+
class SchemaValidator:
"""Libnftables JSON validator using jsonschema"""
@@ -159,6 +169,27 @@ class Nftables:
def __del__(self):
self.nft_ctx_free(self.__ctx)
+ def input_get_flags(self):
+ """Query input flags for the nft context.
+
+ See input_get_flags() for supported flags.
+
+ Returns the currently set input flags as number.
+ """
+ return self.nft_ctx_input_get_flags(self.__ctx)
+
+ def input_set_flags(self, flags):
+ """Set input flags for the nft context as number.
+
+ By default, a new context objects has no flags set.
+
+ Supported flags are NFT_CTX_INPUT_NO_DNS (0x1) to disable blocking address
+ lookup via getaddrinfo.
+
+ Returns nothing.
+ """
+ self.nft_ctx_input_set_flags(self.__ctx, flags)
+
def __get_output_flag(self, name):
flag = self.output_flags[name]
return self.nft_ctx_output_get_flags(self.__ctx) & flag
--
2.41.0
