From b4953803f26c442cdec4cad78a8261e9b97cd015 Mon Sep 17 00:00:00 2001
From: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Date: Fri, 23 Jun 2017 18:38:25 +0200
Subject: src: add --check option flag

Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/nft.xml        | 11 +++++++++++
 include/nftables.h |  1 +
 src/main.c         | 14 ++++++++++++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index e9ccd63c..970acb54 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -51,6 +51,9 @@ vi:ts=4 sw=4
 			<arg choice="opt">
 				<option>-s | --stateless</option>
 			</arg>
+			<arg choice="opt">
+				<option>-c | --check</option>
+			</arg>
 			<arg choice="opt">
 				<option>[-I | --includepath]</option>
 				<replaceable>directory</replaceable>
@@ -129,6 +132,14 @@ vi:ts=4 sw=4
 					</para>
 				</listitem>
 			</varlistentry>
+			<varlistentry>
+				<term><option>-c, --check</option></term>
+				<listitem>
+					<para>
+						Check commands validity without actually applying the changes.
+					</para>
+				</listitem>
+			</varlistentry>
 			<varlistentry>
 				<term><option>-N</option></term>
 				<listitem>
diff --git a/include/nftables.h b/include/nftables.h
index dbd46377..26fd3441 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -33,6 +33,7 @@ struct output_ctx {
 
 struct nft_ctx {
 	struct output_ctx	output;
+	bool			check;
 };
 
 extern unsigned int max_errors;
diff --git a/src/main.c b/src/main.c
index a94cf7cc..7fbf00a7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -40,6 +40,7 @@ static unsigned int num_include_paths = 1;
 enum opt_vals {
 	OPT_HELP		= 'h',
 	OPT_VERSION		= 'v',
+	OPT_CHECK		= 'c',
 	OPT_FILE		= 'f',
 	OPT_INTERACTIVE		= 'i',
 	OPT_INCLUDEPATH		= 'I',
@@ -51,7 +52,7 @@ enum opt_vals {
 	OPT_INVALID		= '?',
 };
 
-#define OPTSTRING	"hvf:iI:vnsNa"
+#define OPTSTRING	"hvcf:iI:vnsNa"
 
 static const struct option options[] = {
 	{
@@ -62,6 +63,10 @@ static const struct option options[] = {
 		.name		= "version",
 		.val		= OPT_VERSION,
 	},
+	{
+		.name		= "check",
+		.val		= OPT_CHECK,
+	},
 	{
 		.name		= "file",
 		.val		= OPT_FILE,
@@ -113,6 +118,7 @@ static void show_help(const char *name)
 "  -h, --help			Show this help\n"
 "  -v, --version			Show version information\n"
 "\n"
+"  -c, --check			Check commands validity without actually applying the changes.\n"
 "  -f, --file <filename>		Read input from <filename>\n"
 "  -i, --interactive		Read input from interactive CLI\n"
 "\n"
@@ -202,7 +208,8 @@ static int nft_netlink(struct nft_ctx *nft, struct parser_state *state,
 		if (ret < 0)
 			goto out;
 	}
-	mnl_batch_end(batch);
+	if (!nft->check)
+		mnl_batch_end(batch);
 
 	if (!mnl_batch_ready(batch))
 		goto out;
@@ -278,6 +285,9 @@ int main(int argc, char * const *argv)
 			printf("%s v%s (%s)\n",
 			       PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
 			exit(NFT_EXIT_SUCCESS);
+		case OPT_CHECK:
+			nft.check = true;
+			break;
 		case OPT_FILE:
 			filename = optarg;
 			break;
-- 
cgit v1.2.3