[nft] Review numeric/literal options and related docs

Message ID 20180914131254.7820-1-phil@nwl.cc
State Under Review
Delegated to: Pablo Neira
Headers show
Series
  • [nft] Review numeric/literal options and related docs
Related show

Commit Message

Phil Sutter Sept. 14, 2018, 1:12 p.m.
With introduction of literal option, two of the three meaningful numeric
levels lost their purpose. In fact, they turned into no-ops so that '-n'
had to be given tree times on commandline to have an effect.

To overcome this, spread the three effects of NFT_NUMERIC_ALL to allow
some selection there. The ordering of them is chosen accordingly to
assumed likeliness for a user to want something numeric:

1) Chain priorities, so it's easy to see in which order they are
   evaluated without having to know the names.

2) User and group IDs, so one doesn't have to consolidate with 'getent'.

3) Protocols, for those more familiar with 6 than 'tcp'.

Note: The above change means '-nn' for instance has not the same effect
      as before, but it has changed already anyway.

Update documentation (help text and man page) accordingly to correctly
describe what 'literal' and 'numeric' options do.

Given that option '-N' ('--reversedns') is now obsolete in favour of
'-ll', remove it from help text and synopsis in man page. Also integrate
it a bit better by making it simply raise literal level to
NFT_LITERAL_ADDR if it is lower, no need to complain if it is not.

One more unrelated change in here: Add brief description of '--json'
option to man page so it becomes consistent with help output.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 doc/nft.txt                    | 18 +++++++++++-------
 include/nftables/libnftables.h |  7 +++++--
 src/datatype.c                 |  2 +-
 src/json.c                     |  6 +++---
 src/main.c                     | 16 ++++++++--------
 src/meta.c                     |  4 ++--
 src/rule.c                     |  2 +-
 7 files changed, 31 insertions(+), 24 deletions(-)

Patch

diff --git a/doc/nft.txt b/doc/nft.txt
index 9d04e4355f4eb..0e0becfb7a080 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -9,7 +9,7 @@  nft - Administration tool of the nftables framework for packet filtering and cla
 SYNOPSIS
 --------
 [verse]
-*nft* [ *-nNscae* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
+*nft* [ *-nlscaej* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
 *nft* *-h*
 *nft* *-v*
 
@@ -34,10 +34,10 @@  For a full summary of options, run *nft --help*.
 
 *-n*::
 *--numeric*::
-	Show data numerically. When used once (the default behaviour), skip
-	lookup of addresses to symbolic names. Use twice to also show Internet
-	services (port numbers) numerically. Use three times to also show
-	protocols, UIDs/GIDs and priorities numerically.
+	Show data numerically. When used once, show chain priorities
+	numerically instead of in form of 'name + offset'. Use twice to also
+	show user and group IDs numerically. Use three times to also show
+	protocols numerically.
 
 *-s*::
 *--stateless*::
@@ -45,8 +45,8 @@  For a full summary of options, run *nft --help*.
 
 *-l*::
 *--literal*::
-	Translate numeric to literal. When used once (the default
-	behaviour), print services (instead of numerical port numbers). Use
+	Translate numeric to literal. When used once, print services
+	(instead of numerical port numbers). Use
 	twice to perform the IP address to name lookup, this usually
 	requires network traffic for DNS lookup that slows down the
 	ruleset listing.
@@ -79,6 +79,10 @@  For a full summary of options, run *nft --help*.
 	Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker,
 	normally this is CTRL-D.
 
+*-j*::
+*--json*::
+	Format output in JSON.
+
 INPUT FILE FORMATS
 ------------------
 LEXICAL CONVENTIONS
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index dee099f279c10..d1a4e3a7be686 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -28,8 +28,11 @@  enum nft_debug_level {
 
 enum nft_numeric_level {
 	NFT_NUMERIC_NONE,
-	NFT_NUMERIC_ADDR,
-	NFT_NUMERIC_PORT,
+	NFT_NUMERIC_ADDR = 0,	/* backwards compat */
+	NFT_NUMERIC_PORT = 0,	/* backwards compat */
+	NFT_NUMERIC_PRIOS,
+	NFT_NUMERIC_GUID,
+	NFT_NUMERIC_INET_PROTO,
 	NFT_NUMERIC_ALL,
 };
 
diff --git a/src/datatype.c b/src/datatype.c
index 50af3df04f744..54287cd21ba4f 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -564,7 +564,7 @@  static void inet_protocol_type_print(const struct expr *expr,
 {
 	struct protoent *p;
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_INET_PROTO) {
 		p = getprotobynumber(mpz_get_uint8(expr->value));
 		if (p != NULL) {
 			nft_print(octx, "%s", p->p_name);
diff --git a/src/json.c b/src/json.c
index 1708f22dda408..9994ef0ae6e7f 100644
--- a/src/json.c
+++ b/src/json.c
@@ -853,7 +853,7 @@  json_t *inet_protocol_type_json(const struct expr *expr,
 {
 	struct protoent *p;
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_INET_PROTO) {
 		p = getprotobynumber(mpz_get_uint8(expr->value));
 		if (p != NULL)
 			return json_string(p->p_name);
@@ -913,7 +913,7 @@  json_t *uid_type_json(const struct expr *expr, struct output_ctx *octx)
 {
 	uint32_t uid = mpz_get_uint32(expr->value);
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_GUID) {
 		struct passwd *pw = getpwuid(uid);
 
 		if (pw)
@@ -926,7 +926,7 @@  json_t *gid_type_json(const struct expr *expr, struct output_ctx *octx)
 {
 	uint32_t gid = mpz_get_uint32(expr->value);
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_GUID) {
 		struct group *gr = getgrgid(gid);
 
 		if (gr)
diff --git a/src/main.c b/src/main.c
index 792136f527d94..fd549ad4a11a7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -123,11 +123,12 @@  static void show_help(const char *name)
 "  -i, --interactive		Read input from interactive CLI\n"
 "\n"
 "  -j, --json			Format output in JSON\n"
-"  -n, --numeric			When specified once, show network addresses numerically (default behaviour).\n"
-"  				Specify twice to also show Internet services (port numbers) numerically.\n"
-"				Specify three times to also show protocols, user IDs, and group IDs numerically.\n"
+"  -l, --literal			When specified once, translate known port numbers into names.\n"
+"				Specify twice to also perform reverse DNS lookups for IP addresses.\n"
+"  -n, --numeric			When specified once, show chain priorities numerically.\n"
+"				Specify twice to also show user and group IDs numerically.\n"
+"				Specify three times to also show protocols numerically.\n"
 "  -s, --stateless		Omit stateful information of ruleset.\n"
-"  -N				Translate IP addresses to names.\n"
 "  -a, --handle			Output rule handle.\n"
 "  -e, --echo			Echo what has been added, inserted or replaced.\n"
 "  -I, --includepath <directory>	Add <directory> to the paths searched for include files. Default is: %s\n"
@@ -231,11 +232,10 @@  int main(int argc, char * const *argv)
 			break;
 		case OPT_IP2NAME:
 			literal = nft_ctx_output_get_literal(nft);
-			if (literal + 2 > NFT_LITERAL_ADDR) {
-				fprintf(stderr, "Cannot combine `-N' with `-l'\n");
-				exit(EXIT_FAILURE);
+			if (literal < NFT_LITERAL_ADDR) {
+				literal = NFT_LITERAL_ADDR;
+				nft_ctx_output_set_literal(nft, literal);
 			}
-			nft_ctx_output_set_literal(nft, literal + 2);
 			break;
 		case OPT_LITERAL:
 			literal = nft_ctx_output_get_literal(nft);
diff --git a/src/meta.c b/src/meta.c
index 1bd91db275d67..da78fdf80a6a9 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -207,7 +207,7 @@  static void uid_type_print(const struct expr *expr, struct output_ctx *octx)
 {
 	struct passwd *pw;
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_GUID) {
 		uint32_t uid = mpz_get_uint32(expr->value);
 
 		pw = getpwuid(uid);
@@ -260,7 +260,7 @@  static void gid_type_print(const struct expr *expr, struct output_ctx *octx)
 {
 	struct group *gr;
 
-	if (octx->numeric < NFT_NUMERIC_ALL) {
+	if (octx->numeric < NFT_NUMERIC_GUID) {
 		uint32_t gid = mpz_get_uint32(expr->value);
 
 		gr = getgrgid(gid);
diff --git a/src/rule.c b/src/rule.c
index e6d61b670688f..e39508efb8fed 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -969,7 +969,7 @@  static const char *prio2str(char *buf, size_t bufsize, int family, int hook,
 		arr_size = array_size(std_prios);
 	}
 
-	if (numeric != NFT_NUMERIC_ALL) {
+	if (numeric < NFT_NUMERIC_PRIOS) {
 		for (i = 0; i < arr_size; ++i) {
 			std_prio = prio_arr[i].val;
 			std_prio_str = prio_arr[i].str;