| Message ID | 20171223194525.6058-1-harshasharmaiitr@gmail.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | src: print 'handle' attribute in tables | expand |
Hello, Le 23/12/2017 à 20:45, Harsha Sharma a écrit : > Print 'handle' attribute in tables, when listing via '-a' option > > For eg. > nft list ruleset -a > > table ip test-ip4 { > chain input { > ip saddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 > } > # handle 1} [...] > diff --git a/src/rule.c b/src/rule.c > index bb9add0..e875816 100644 > --- a/src/rule.c > +++ b/src/rule.c > @@ -820,6 +820,8 @@ static void table_print(const struct table *table, struct output_ctx *octx) > chain_print(chain, octx); > delim = "\n"; > } > + if (octx->handle > 0) > + nft_print(octx, " # handle %" PRIu64, table->handle.handle.id); > nft_print(octx, "}\n"); > } > > I'm wonderning if it wouldn't be easier (for something parsing "nft list ruleset -a" 's output) to have the " # handle ..." after the closing brace instead of before. It makes sence to consider "#" as a start of comment until end of line, and in such case the last "}" would be in the comment and missing (for something choosing to ignore all such "comments"). So the example would become instead: nft list ruleset -a table ip test-ip4 { chain input { ip saddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } } # handle 1 What do you think? regards, Adel Belhouane. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Dec 24, 2017 at 8:07 PM, Adel Belhouane <bugs.a.b@free.fr> wrote: > Hello, > > Le 23/12/2017 à 20:45, Harsha Sharma a écrit : >> Print 'handle' attribute in tables, when listing via '-a' option >> >> For eg. >> nft list ruleset -a >> >> table ip test-ip4 { >> chain input { >> ip saddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 >> } >> # handle 1} > > [...] > >> diff --git a/src/rule.c b/src/rule.c >> index bb9add0..e875816 100644 >> --- a/src/rule.c >> +++ b/src/rule.c >> @@ -820,6 +820,8 @@ static void table_print(const struct table *table, struct output_ctx *octx) >> chain_print(chain, octx); >> delim = "\n"; >> } >> + if (octx->handle > 0) >> + nft_print(octx, " # handle %" PRIu64, table->handle.handle.id); >> nft_print(octx, "}\n"); >> } >> >> > > I'm wonderning if it wouldn't be easier (for something parsing "nft list ruleset -a" 's output) to have the " # handle ..." after the closing brace instead of before. It makes sence to consider "#" as a start of comment until end of line, and in such case the last "}" would be in the comment and missing (for something choosing to ignore all such "comments"). > > So the example would become instead: > > nft list ruleset -a > > table ip test-ip4 { > chain input { > ip saddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 > } > } # handle 1 > > What do you think? > Yes.Makes sense to me. Thanks. > regards, > Adel Belhouane. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index f328944..6db9130 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -160,12 +160,14 @@ enum nft_table_flags { * @NFTA_TABLE_NAME: name of the table (NLA_STRING) * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) * @NFTA_TABLE_USE: number of chains in this table (NLA_U32) + * @NFTA_TABLE_HANDLE: numeric handle of the table (NLA_U64) */ enum nft_table_attributes { NFTA_TABLE_UNSPEC, NFTA_TABLE_NAME, NFTA_TABLE_FLAGS, NFTA_TABLE_USE, + NFTA_TABLE_HANDLE, __NFTA_TABLE_MAX }; #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) @@ -1307,6 +1309,7 @@ enum nft_object_attributes { * * @NFTA_TRACE_TABLE: name of the table (NLA_STRING) * @NFTA_TRACE_CHAIN: name of the chain (NLA_STRING) + * @NFTA_TRACE_TABLE_HANDLE: numeric handle of the table (NLA_U64) * @NFTA_TRACE_RULE_HANDLE: numeric handle of the rule (NLA_U64) * @NFTA_TRACE_TYPE: type of the event (NLA_U32: nft_trace_types) * @NFTA_TRACE_VERDICT: verdict returned by hook (NLA_NESTED: nft_verdicts) @@ -1326,6 +1329,7 @@ enum nft_trace_attributes { NFTA_TRACE_UNSPEC, NFTA_TRACE_TABLE, NFTA_TRACE_CHAIN, + NFTA_TRACE_TABLE_HANDLE, NFTA_TRACE_RULE_HANDLE, NFTA_TRACE_TYPE, NFTA_TRACE_VERDICT, diff --git a/src/netlink.c b/src/netlink.c index 8653ae6..59d7096 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -123,6 +123,8 @@ struct nftnl_table *alloc_nftnl_table(const struct handle *h) nftnl_table_set_u32(nlt, NFTNL_TABLE_FAMILY, h->family); if (h->table != NULL) nftnl_table_set(nlt, NFTNL_TABLE_NAME, h->table); + if (h->handle.id) + nftnl_table_set_u64(nlt, NFTNL_TABLE_HANDLE, h->handle.id); return nlt; } @@ -137,7 +139,7 @@ struct nftnl_chain *alloc_nftnl_chain(const struct handle *h) nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FAMILY, h->family); nftnl_chain_set_str(nlc, NFTNL_CHAIN_TABLE, h->table); - if (h->handle.id != 0) + if (h->handle.id) nftnl_chain_set_u64(nlc, NFTNL_CHAIN_HANDLE, h->handle.id); if (h->chain != NULL) nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME, h->chain); @@ -964,6 +966,7 @@ static struct table *netlink_delinearize_table(struct netlink_ctx *ctx, table->handle.family = nftnl_table_get_u32(nlt, NFTNL_TABLE_FAMILY); table->handle.table = xstrdup(nftnl_table_get_str(nlt, NFTNL_TABLE_NAME)); table->flags = nftnl_table_get_u32(nlt, NFTNL_TABLE_FLAGS); + table->handle.handle.id = nftnl_table_get_u64(nlt, NFTNL_TABLE_HANDLE); return table; } @@ -992,6 +995,7 @@ int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, return 0; } + ctx->data = h; nftnl_table_list_foreach(table_cache, list_table_cb, ctx); nftnl_table_list_free(table_cache); return 0; diff --git a/src/rule.c b/src/rule.c index bb9add0..e875816 100644 --- a/src/rule.c +++ b/src/rule.c @@ -820,6 +820,8 @@ static void table_print(const struct table *table, struct output_ctx *octx) chain_print(chain, octx); delim = "\n"; } + if (octx->handle > 0) + nft_print(octx, " # handle %" PRIu64, table->handle.handle.id); nft_print(octx, "}\n"); }
Print 'handle' attribute in tables, when listing via '-a' option For eg. nft list ruleset -a table ip test-ip4 { chain input { ip saddr 8.8.8.8 counter packets 0 bytes 0 # handle 3 } # handle 1} table ip filter { chain output { tcp dport ssh counter packets 0 bytes 0 # handle 4 } # handle 2} table ip xyz { # handle 3} Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com> --- include/linux/netfilter/nf_tables.h | 4 ++++ src/netlink.c | 6 +++++- src/rule.c | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-)