From patchwork Fri Sep 14 13:12:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 969864 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42BbYH72Cfz9s9N for ; Fri, 14 Sep 2018 23:13:07 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727941AbeINS1c (ORCPT ); Fri, 14 Sep 2018 14:27:32 -0400 Received: from orbyte.nwl.cc ([151.80.46.58]:37584 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726905AbeINS1c (ORCPT ); Fri, 14 Sep 2018 14:27:32 -0400 Received: from localhost ([::1]:45118 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.90_1) (envelope-from ) id 1g0nuD-0004ck-6x; Fri, 14 Sep 2018 15:13:05 +0200 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [nft PATCH] Review numeric/literal options and related docs Date: Fri, 14 Sep 2018 15:12:54 +0200 Message-Id: <20180914131254.7820-1-phil@nwl.cc> X-Mailer: git-send-email 2.18.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org With introduction of literal option, two of the three meaningful numeric levels lost their purpose. In fact, they turned into no-ops so that '-n' had to be given tree times on commandline to have an effect. To overcome this, spread the three effects of NFT_NUMERIC_ALL to allow some selection there. The ordering of them is chosen accordingly to assumed likeliness for a user to want something numeric: 1) Chain priorities, so it's easy to see in which order they are evaluated without having to know the names. 2) User and group IDs, so one doesn't have to consolidate with 'getent'. 3) Protocols, for those more familiar with 6 than 'tcp'. Note: The above change means '-nn' for instance has not the same effect as before, but it has changed already anyway. Update documentation (help text and man page) accordingly to correctly describe what 'literal' and 'numeric' options do. Given that option '-N' ('--reversedns') is now obsolete in favour of '-ll', remove it from help text and synopsis in man page. Also integrate it a bit better by making it simply raise literal level to NFT_LITERAL_ADDR if it is lower, no need to complain if it is not. One more unrelated change in here: Add brief description of '--json' option to man page so it becomes consistent with help output. Signed-off-by: Phil Sutter --- doc/nft.txt | 18 +++++++++++------- include/nftables/libnftables.h | 7 +++++-- src/datatype.c | 2 +- src/json.c | 6 +++--- src/main.c | 16 ++++++++-------- src/meta.c | 4 ++-- src/rule.c | 2 +- 7 files changed, 31 insertions(+), 24 deletions(-) diff --git a/doc/nft.txt b/doc/nft.txt index 9d04e4355f4eb..0e0becfb7a080 100644 --- a/doc/nft.txt +++ b/doc/nft.txt @@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet filtering and cla SYNOPSIS -------- [verse] -*nft* [ *-nNscae* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...] +*nft* [ *-nlscaej* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...] *nft* *-h* *nft* *-v* @@ -34,10 +34,10 @@ For a full summary of options, run *nft --help*. *-n*:: *--numeric*:: - Show data numerically. When used once (the default behaviour), skip - lookup of addresses to symbolic names. Use twice to also show Internet - services (port numbers) numerically. Use three times to also show - protocols, UIDs/GIDs and priorities numerically. + Show data numerically. When used once, show chain priorities + numerically instead of in form of 'name + offset'. Use twice to also + show user and group IDs numerically. Use three times to also show + protocols numerically. *-s*:: *--stateless*:: @@ -45,8 +45,8 @@ For a full summary of options, run *nft --help*. *-l*:: *--literal*:: - Translate numeric to literal. When used once (the default - behaviour), print services (instead of numerical port numbers). Use + Translate numeric to literal. When used once, print services + (instead of numerical port numbers). Use twice to perform the IP address to name lookup, this usually requires network traffic for DNS lookup that slows down the ruleset listing. @@ -79,6 +79,10 @@ For a full summary of options, run *nft --help*. Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker, normally this is CTRL-D. +*-j*:: +*--json*:: + Format output in JSON. + INPUT FILE FORMATS ------------------ LEXICAL CONVENTIONS diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index dee099f279c10..d1a4e3a7be686 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -28,8 +28,11 @@ enum nft_debug_level { enum nft_numeric_level { NFT_NUMERIC_NONE, - NFT_NUMERIC_ADDR, - NFT_NUMERIC_PORT, + NFT_NUMERIC_ADDR = 0, /* backwards compat */ + NFT_NUMERIC_PORT = 0, /* backwards compat */ + NFT_NUMERIC_PRIOS, + NFT_NUMERIC_GUID, + NFT_NUMERIC_INET_PROTO, NFT_NUMERIC_ALL, }; diff --git a/src/datatype.c b/src/datatype.c index 50af3df04f744..54287cd21ba4f 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -564,7 +564,7 @@ static void inet_protocol_type_print(const struct expr *expr, { struct protoent *p; - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_INET_PROTO) { p = getprotobynumber(mpz_get_uint8(expr->value)); if (p != NULL) { nft_print(octx, "%s", p->p_name); diff --git a/src/json.c b/src/json.c index 1708f22dda408..9994ef0ae6e7f 100644 --- a/src/json.c +++ b/src/json.c @@ -853,7 +853,7 @@ json_t *inet_protocol_type_json(const struct expr *expr, { struct protoent *p; - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_INET_PROTO) { p = getprotobynumber(mpz_get_uint8(expr->value)); if (p != NULL) return json_string(p->p_name); @@ -913,7 +913,7 @@ json_t *uid_type_json(const struct expr *expr, struct output_ctx *octx) { uint32_t uid = mpz_get_uint32(expr->value); - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_GUID) { struct passwd *pw = getpwuid(uid); if (pw) @@ -926,7 +926,7 @@ json_t *gid_type_json(const struct expr *expr, struct output_ctx *octx) { uint32_t gid = mpz_get_uint32(expr->value); - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_GUID) { struct group *gr = getgrgid(gid); if (gr) diff --git a/src/main.c b/src/main.c index 792136f527d94..fd549ad4a11a7 100644 --- a/src/main.c +++ b/src/main.c @@ -123,11 +123,12 @@ static void show_help(const char *name) " -i, --interactive Read input from interactive CLI\n" "\n" " -j, --json Format output in JSON\n" -" -n, --numeric When specified once, show network addresses numerically (default behaviour).\n" -" Specify twice to also show Internet services (port numbers) numerically.\n" -" Specify three times to also show protocols, user IDs, and group IDs numerically.\n" +" -l, --literal When specified once, translate known port numbers into names.\n" +" Specify twice to also perform reverse DNS lookups for IP addresses.\n" +" -n, --numeric When specified once, show chain priorities numerically.\n" +" Specify twice to also show user and group IDs numerically.\n" +" Specify three times to also show protocols numerically.\n" " -s, --stateless Omit stateful information of ruleset.\n" -" -N Translate IP addresses to names.\n" " -a, --handle Output rule handle.\n" " -e, --echo Echo what has been added, inserted or replaced.\n" " -I, --includepath Add to the paths searched for include files. Default is: %s\n" @@ -231,11 +232,10 @@ int main(int argc, char * const *argv) break; case OPT_IP2NAME: literal = nft_ctx_output_get_literal(nft); - if (literal + 2 > NFT_LITERAL_ADDR) { - fprintf(stderr, "Cannot combine `-N' with `-l'\n"); - exit(EXIT_FAILURE); + if (literal < NFT_LITERAL_ADDR) { + literal = NFT_LITERAL_ADDR; + nft_ctx_output_set_literal(nft, literal); } - nft_ctx_output_set_literal(nft, literal + 2); break; case OPT_LITERAL: literal = nft_ctx_output_get_literal(nft); diff --git a/src/meta.c b/src/meta.c index 1bd91db275d67..da78fdf80a6a9 100644 --- a/src/meta.c +++ b/src/meta.c @@ -207,7 +207,7 @@ static void uid_type_print(const struct expr *expr, struct output_ctx *octx) { struct passwd *pw; - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_GUID) { uint32_t uid = mpz_get_uint32(expr->value); pw = getpwuid(uid); @@ -260,7 +260,7 @@ static void gid_type_print(const struct expr *expr, struct output_ctx *octx) { struct group *gr; - if (octx->numeric < NFT_NUMERIC_ALL) { + if (octx->numeric < NFT_NUMERIC_GUID) { uint32_t gid = mpz_get_uint32(expr->value); gr = getgrgid(gid); diff --git a/src/rule.c b/src/rule.c index e6d61b670688f..e39508efb8fed 100644 --- a/src/rule.c +++ b/src/rule.c @@ -969,7 +969,7 @@ static const char *prio2str(char *buf, size_t bufsize, int family, int hook, arr_size = array_size(std_prios); } - if (numeric != NFT_NUMERIC_ALL) { + if (numeric < NFT_NUMERIC_PRIOS) { for (i = 0; i < arr_size; ++i) { std_prio = prio_arr[i].val; std_prio_str = prio_arr[i].str;