Patchwork [nftables] rule: display rule handle as comment

login
register
mail settings
Submitter Eric Leblond
Date May 20, 2013, 11:09 p.m.
Message ID <1369091340-29211-1-git-send-email-eric@regit.org>
Download mbox | patch
Permalink /patch/245132/
State Accepted
Headers show

Comments

Eric Leblond - May 20, 2013, 11:09 p.m.
Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/rule.c |    2 ++
 1 file changed, 2 insertions(+)
Pablo Neira - May 21, 2013, 1:53 p.m.
Hi Eric,

On Tue, May 21, 2013 at 01:09:00AM +0200, Eric Leblond wrote:
> Knowing the rule handle is necessary to be able to delete a single
> rule. It was not displayed till now in the output and it was thus
> impossible to remove a single rule.
> This patch modify the listing output to add a comment containing
> the handle.

Thanks for the patch.

Could you add some option, eg. -a/--handle, so the handle is shown
only if we invoke:

nft -a list table filter

We also support:

nft list table filter > rule-set-file
nft -f rule-set-file

And the handle number will not be of any use there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Patrick McHardy - May 21, 2013, 7:06 p.m.
Eric Leblond <eric@regit.org> schrieb:

>Knowing the rule handle is necessary to be able to delete a single
>rule. It was not displayed till now in the output and it was thus
>impossible to remove a single rule.
>This patch modify the listing output to add a comment containing
>the handle.
>
>Signed-off-by: Eric Leblond <eric@regit.org>
>---
> src/rule.c |    2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/src/rule.c b/src/rule.c
>index 9d9eaee..b2d7844 100644
>--- a/src/rule.c
>+++ b/src/rule.c
>@@ -13,6 +13,7 @@
> #include <stdio.h>
> #include <stdint.h>
> #include <string.h>
>+#include <inttypes.h>
> 
> #include <statement.h>
> #include <rule.h>
>@@ -136,6 +137,7 @@ void rule_print(const struct rule *rule)
> 		printf(" ");
> 		stmt->ops->print(stmt);
> 	}
>+	printf(" # handle %" PRIu64, rule->handle.handle);
> 	printf("\n");
> }
> 

The output is supposed to be parsable again and should also remain as readable as possible. I discussed this with Pablo, we agreed on adding a command line switch for this.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Jesper Dangaard Brouer - May 22, 2013, 1:53 p.m.
On Tue, 21 May 2013, Eric Leblond wrote:

> Knowing the rule handle is necessary to be able to delete a single
> rule. It was not displayed till now in the output and it was thus
> impossible to remove a single rule.

The current iptables system supports deleting a specific rule by simply 
specifying iptables -D [...] instead of equivilant iptables -A [...]

Would it be possible to keep this semantics in nftables?

Hilsen
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Patrick McHardy - May 22, 2013, 3:35 p.m.
On Wed, May 22, 2013 at 03:53:26PM +0200, Jesper Dangaard Brouer wrote:
> 
> On Tue, 21 May 2013, Eric Leblond wrote:
> 
> >Knowing the rule handle is necessary to be able to delete a single
> >rule. It was not displayed till now in the output and it was thus
> >impossible to remove a single rule.
> 
> The current iptables system supports deleting a specific rule by
> simply specifying iptables -D [...] instead of equivilant iptables
> -A [...]
> 
> Would it be possible to keep this semantics in nftables?

Yes, I wanted to add that feature myself. Implementation would be similar
to what we do in iptables, IOW we'd compare either the netlink commands
constructed from the rule specification or the internal expression
representation, whatever seems better suited.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/src/rule.c b/src/rule.c
index 9d9eaee..b2d7844 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -13,6 +13,7 @@ 
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
+#include <inttypes.h>
 
 #include <statement.h>
 #include <rule.h>
@@ -136,6 +137,7 @@  void rule_print(const struct rule *rule)
 		printf(" ");
 		stmt->ops->print(stmt);
 	}
+	printf(" # handle %" PRIu64, rule->handle.handle);
 	printf("\n");
 }