diff options
author | Phil Sutter <phil@nwl.cc> | 2017-08-09 13:16:42 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-08-14 11:32:20 +0200 |
commit | b99c4d072d9969f7a0dfc539b2b68b517f90af68 (patch) | |
tree | dadf8b641cc9082d64f4dec210772e2eaf1451e7 /src/main.c | |
parent | c5c6bf14aa53bd16e66fcd281374faa66b3293f8 (diff) |
Implement --echo option
When used with add, insert or replace commands, nft tool will print
event notifications just like 'nft monitor' does for the same commands.
Apart from seeing what a given command will turn out in the rule set,
this allows to reliably retrieve a new rule's assigned handle (if used
together with --handle option).
Here are some examples of how it works:
| # nft --echo --handle add table ip t
| add table ip t
|
| # nft --echo --handle add chain ip t c \
| '{ type filter hook forward priority 0; }'
| add chain ip t c { type filter hook forward priority 0; policy accept; }
|
| # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept
| add rule ip t c tcp dport { ssh, http } accept # handle 2
|
| # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \
| elements = { 192.168.0.1, 192.168.0.2 }; }'
| add set ip t ipset { type ipv4_addr; }
| add element ip t ipset { 192.168.0.1 }
| add element ip t ipset { 192.168.0.2 }
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/main.c')
-rw-r--r-- | src/main.c | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -49,10 +49,11 @@ enum opt_vals { OPT_IP2NAME = 'N', OPT_DEBUG = 'd', OPT_HANDLE_OUTPUT = 'a', + OPT_ECHO = 'e', OPT_INVALID = '?', }; -#define OPTSTRING "hvcf:iI:vnsNa" +#define OPTSTRING "hvcf:iI:vnsNae" static const struct option options[] = { { @@ -105,6 +106,10 @@ static const struct option options[] = { .val = OPT_HANDLE_OUTPUT, }, { + .name = "echo", + .val = OPT_ECHO, + }, + { .name = NULL } }; @@ -128,6 +133,7 @@ static void show_help(const char *name) " -s, --stateless Omit stateful information of ruleset.\n" " -N Translate IP addresses to names.\n" " -a, --handle Output rule handle.\n" +" -e, --echo Echo what has been added, inserted or replaced.\n" " -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: %s\n" #ifdef DEBUG " --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all)\n" @@ -375,6 +381,9 @@ int main(int argc, char * const *argv) case OPT_HANDLE_OUTPUT: nft.output.handle++; break; + case OPT_ECHO: + nft.output.echo++; + break; case OPT_INVALID: exit(NFT_EXIT_FAILURE); } |