@@ -99,8 +99,11 @@ NFT_CTX_OUTPUT_REVERSEDNS::
NFT_CTX_OUTPUT_SERVICE::
Print port numbers as services as described in the /etc/services file.
NFT_CTX_OUTPUT_STATELESS::
- If stateless output has been requested, then stateful data is not printed.
- Stateful data refers to those objects that carry run-time data, e.g. the *counter* statement holds packet and byte counter values, making it stateful.
+ If stateless output has been requested, then dynamic stateful data is not printed.
+ Dynamic stateful data refers to those objects that carry run-time data, e.g. the *counter* statement holds packet and byte counter values, making it stateful.
+NFT_CTX_OUTPUT_STATELESS_ALL::
+ If stateless output has been requested, then all stateful data is not printed.
+ Stateful data refers to dynamic stateful data described above and statically defined container objects like sets.
NFT_CTX_OUTPUT_HANDLE::
Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes.
For example, when deleting a table or chain, it may be identified either by name or handle.
@@ -37,8 +37,10 @@ For a full summary of options, run *nft --help*.
Print fully numerical output.
*-s*::
-*--stateless*::
- Omit stateful information of rules and stateful objects.
+*--stateless[=all]*::
+ Omit stateful information of rules and stateful objects. By default,
+ only sets defined as 'dynamic' are affected. Passing the 'all'
+ parameter causes all named sets to be affected.
*-N*::
*--reversedns*::
@@ -50,6 +50,11 @@ static inline bool nft_output_stateless(const struct output_ctx *octx)
return octx->flags & NFT_CTX_OUTPUT_STATELESS;
}
+static inline bool nft_output_stateless_all(const struct output_ctx *octx)
+{
+ return octx->flags & NFT_CTX_OUTPUT_STATELESS_ALL;
+}
+
static inline bool nft_output_handle(const struct output_ctx *octx)
{
return octx->flags & NFT_CTX_OUTPUT_HANDLE;
@@ -56,6 +56,7 @@ enum {
NFT_CTX_OUTPUT_NUMERIC_ALL = (NFT_CTX_OUTPUT_NUMERIC_PROTO |
NFT_CTX_OUTPUT_NUMERIC_PRIO |
NFT_CTX_OUTPUT_NUMERIC_SYMBOL),
+ NFT_CTX_OUTPUT_STATELESS_ALL = (1 << 11),
};
unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);
@@ -45,7 +45,7 @@ enum opt_vals {
OPT_NUMERIC_TIME = 't',
OPT_INVALID = '?',
};
-#define OPTSTRING "hvcf:iI:jvnsNaeSupypt"
+#define OPTSTRING "hvcf:iI:jvns::NaeSupypt"
static const struct option options[] = {
{
@@ -76,6 +76,7 @@ static const struct option options[] = {
{
.name = "stateless",
.val = OPT_STATELESS,
+ .has_arg = 2,
},
{
.name = "reversedns",
@@ -139,7 +140,7 @@ static void show_help(const char *name)
"\n"
" -j, --json Format output in JSON\n"
" -n, --numeric Print fully numerical output.\n"
-" -s, --stateless Omit stateful information of ruleset.\n"
+" -s, --stateless[=all] Omit stateful information of ruleset.\n"
" -u, --guid Print UID/GID as defined in /etc/passwd and /etc/group.\n"
" -N Translate IP addresses to names.\n"
" -S, --service Translate ports to service names as described in /etc/services.\n"
@@ -238,7 +239,17 @@ int main(int argc, char * const *argv)
output_flags |= NFT_CTX_OUTPUT_NUMERIC_TIME;
break;
case OPT_STATELESS:
- output_flags |= NFT_CTX_OUTPUT_STATELESS;
+ if (!optarg)
+ output_flags |= NFT_CTX_OUTPUT_STATELESS;
+ else if (strcmp(optarg, "all") == 0) {
+ output_flags |= NFT_CTX_OUTPUT_STATELESS;
+ output_flags |= NFT_CTX_OUTPUT_STATELESS_ALL;
+ } else {
+ fprintf(stderr,
+ "invalid stateless parameter `%s'\n",
+ optarg);
+ exit(EXIT_FAILURE);
+ }
break;
case OPT_IP2NAME:
output_flags |= NFT_CTX_OUTPUT_REVERSEDNS;
@@ -538,7 +538,8 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts,
{
set_print_declaration(set, opts, octx);
- if (set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) {
+ if (nft_output_stateless_all(octx) ||
+ (set->flags & NFT_SET_EVAL && nft_output_stateless(octx))) {
nft_print(octx, "%s}%s", opts->tab, opts->nl);
return;
}
Currently, --stateless only suppresses the output of the contents of dynamic sets. Extend it to support an optional parameter, `all`. If it is given, `nft list` will also omit the elements of sets which are not marked `dynamic`. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> --- Since v1: * updated man-page and usage; * dropped 'dynamic' as a possible parameter-value. doc/libnftables.adoc | 7 +++++-- doc/nft.txt | 6 ++++-- include/nftables.h | 5 +++++ include/nftables/libnftables.h | 1 + src/main.c | 17 ++++++++++++++--- src/rule.c | 3 ++- 6 files changed, 31 insertions(+), 8 deletions(-)