diff mbox series

[nft,v2] src: extend --stateless to suppress output of non-dynamic set elements.

Message ID 20191021161148.582-1-jeremy@azazel.net
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series [nft,v2] src: extend --stateless to suppress output of non-dynamic set elements. | expand

Commit Message

Jeremy Sowden Oct. 21, 2019, 4:11 p.m. UTC 
Currently, --stateless only suppresses the output of the contents of
dynamic sets.  Extend it to support an optional parameter, `all`.  If it
is given, `nft list` will also omit the elements of sets which are not
marked `dynamic`.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
Since v1:

 * updated man-page and usage;
 * dropped 'dynamic' as a possible parameter-value.

 doc/libnftables.adoc           |  7 +++++--
 doc/nft.txt                    |  6 ++++--
 include/nftables.h             |  5 +++++
 include/nftables/libnftables.h |  1 +
 src/main.c                     | 17 ++++++++++++++---
 src/rule.c                     |  3 ++-
 6 files changed, 31 insertions(+), 8 deletions(-)

Comments

Pablo Neira Ayuso Oct. 21, 2019, 4:35 p.m. UTC | #1 
On Mon, Oct 21, 2019 at 05:11:48PM +0100, Jeremy Sowden wrote:
> Currently, --stateless only suppresses the output of the contents of
> dynamic sets.  Extend it to support an optional parameter, `all`.  If it
> is given, `nft list` will also omit the elements of sets which are not
> marked `dynamic`.

I would suggest a new option? I don't think set elements are stateful
information.

Probably something like ipset --terse option?

-t is already taken, althout not yet in a public release.

I'd suggest this is updated to use -T as --numeric-time (update patch
https://git.netfilter.org/nftables/commit/?id=f8f32deda31df597614d9f1f64ffb0c0320f4d54)
then use --terse/-t for this option?

Thanks.
diff mbox series

Patch

diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index ea9626afa101..f32926ac8db1 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -99,8 +99,11 @@  NFT_CTX_OUTPUT_REVERSEDNS::
 NFT_CTX_OUTPUT_SERVICE::
 	Print port numbers as services as described in the /etc/services file.
 NFT_CTX_OUTPUT_STATELESS::
-	If stateless output has been requested, then stateful data is not printed.
-	Stateful data refers to those objects that carry run-time data, e.g. the *counter* statement holds packet and byte counter values, making it stateful.
+	If stateless output has been requested, then dynamic stateful data is not printed.
+	Dynamic stateful data refers to those objects that carry run-time data, e.g. the *counter* statement holds packet and byte counter values, making it stateful.
+NFT_CTX_OUTPUT_STATELESS_ALL::
+	If stateless output has been requested, then all stateful data is not printed.
+	Stateful data refers to dynamic stateful data described above and statically defined container objects like sets.
 NFT_CTX_OUTPUT_HANDLE::
 	Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes.
 	For example, when deleting a table or chain, it may be identified either by name or handle.
diff --git a/doc/nft.txt b/doc/nft.txt
index 9bc5986b6416..c06f4a2be6d6 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -37,8 +37,10 @@  For a full summary of options, run *nft --help*.
 	Print fully numerical output.
 
 *-s*::
-*--stateless*::
-	Omit stateful information of rules and stateful objects.
+*--stateless[=all]*::
+	Omit stateful information of rules and stateful objects.  By default,
+        only sets defined as 'dynamic' are affected.  Passing the 'all'
+        parameter causes all named sets to be affected.
 
 *-N*::
 *--reversedns*::
diff --git a/include/nftables.h b/include/nftables.h
index 1ecf5ef5269c..d566989a01ec 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -50,6 +50,11 @@  static inline bool nft_output_stateless(const struct output_ctx *octx)
 	return octx->flags & NFT_CTX_OUTPUT_STATELESS;
 }
 
+static inline bool nft_output_stateless_all(const struct output_ctx *octx)
+{
+	return octx->flags & NFT_CTX_OUTPUT_STATELESS_ALL;
+}
+
 static inline bool nft_output_handle(const struct output_ctx *octx)
 {
 	return octx->flags & NFT_CTX_OUTPUT_HANDLE;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 7a7a46f3358a..92e0b30ceb87 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -56,6 +56,7 @@  enum {
 	NFT_CTX_OUTPUT_NUMERIC_ALL	= (NFT_CTX_OUTPUT_NUMERIC_PROTO |
 					   NFT_CTX_OUTPUT_NUMERIC_PRIO |
 					   NFT_CTX_OUTPUT_NUMERIC_SYMBOL),
+	NFT_CTX_OUTPUT_STATELESS_ALL	= (1 << 11),
 };
 
 unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);
diff --git a/src/main.c b/src/main.c
index f77d8a820a02..291a6cd1dac3 100644
--- a/src/main.c
+++ b/src/main.c
@@ -45,7 +45,7 @@  enum opt_vals {
 	OPT_NUMERIC_TIME	= 't',
 	OPT_INVALID		= '?',
 };
-#define OPTSTRING	"hvcf:iI:jvnsNaeSupypt"
+#define OPTSTRING	"hvcf:iI:jvns::NaeSupypt"
 
 static const struct option options[] = {
 	{
@@ -76,6 +76,7 @@  static const struct option options[] = {
 	{
 		.name		= "stateless",
 		.val		= OPT_STATELESS,
+		.has_arg	= 2,
 	},
 	{
 		.name		= "reversedns",
@@ -139,7 +140,7 @@  static void show_help(const char *name)
 "\n"
 "  -j, --json			Format output in JSON\n"
 "  -n, --numeric			Print fully numerical output.\n"
-"  -s, --stateless		Omit stateful information of ruleset.\n"
+"  -s, --stateless[=all]		Omit stateful information of ruleset.\n"
 "  -u, --guid			Print UID/GID as defined in /etc/passwd and /etc/group.\n"
 "  -N				Translate IP addresses to names.\n"
 "  -S, --service			Translate ports to service names as described in /etc/services.\n"
@@ -238,7 +239,17 @@  int main(int argc, char * const *argv)
 			output_flags |= NFT_CTX_OUTPUT_NUMERIC_TIME;
 			break;
 		case OPT_STATELESS:
-			output_flags |= NFT_CTX_OUTPUT_STATELESS;
+			if (!optarg)
+				output_flags |= NFT_CTX_OUTPUT_STATELESS;
+			else if (strcmp(optarg, "all") == 0) {
+				output_flags |= NFT_CTX_OUTPUT_STATELESS;
+				output_flags |= NFT_CTX_OUTPUT_STATELESS_ALL;
+			} else {
+				fprintf(stderr,
+					"invalid stateless parameter `%s'\n",
+					optarg);
+				exit(EXIT_FAILURE);
+			}
 			break;
 		case OPT_IP2NAME:
 			output_flags |= NFT_CTX_OUTPUT_REVERSEDNS;
diff --git a/src/rule.c b/src/rule.c
index 55894cbdb766..827ccb7e5c56 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -538,7 +538,8 @@  static void do_set_print(const struct set *set, struct print_fmt_options *opts,
 {
 	set_print_declaration(set, opts, octx);
 
-	if (set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) {
+	if (nft_output_stateless_all(octx) ||
+	    (set->flags & NFT_SET_EVAL && nft_output_stateless(octx))) {
 		nft_print(octx, "%s}%s", opts->tab, opts->nl);
 		return;
 	}