From b99c4d072d9969f7a0dfc539b2b68b517f90af68 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 9 Aug 2017 13:16:42 +0200 Subject: Implement --echo option When used with add, insert or replace commands, nft tool will print event notifications just like 'nft monitor' does for the same commands. Apart from seeing what a given command will turn out in the rule set, this allows to reliably retrieve a new rule's assigned handle (if used together with --handle option). Here are some examples of how it works: | # nft --echo --handle add table ip t | add table ip t | | # nft --echo --handle add chain ip t c \ | '{ type filter hook forward priority 0; }' | add chain ip t c { type filter hook forward priority 0; policy accept; } | | # nft --echo --handle add rule ip t c tcp dport '{22, 80}' accept | add rule ip t c tcp dport { ssh, http } accept # handle 2 | | # nft --echo --handle add set ip t ipset '{ type ipv4_addr; \ | elements = { 192.168.0.1, 192.168.0.2 }; }' | add set ip t ipset { type ipv4_addr; } | add element ip t ipset { 192.168.0.1 } | add element ip t ipset { 192.168.0.2 } Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 2 ++ include/nftables.h | 1 + 2 files changed, 3 insertions(+) (limited to 'include') diff --git a/include/netlink.h b/include/netlink.h index ffbc51d3..47ecef38 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -222,4 +222,6 @@ extern int netlink_monitor(struct netlink_mon_handler *monhandler, struct mnl_socket *nf_sock); bool netlink_batch_supported(struct mnl_socket *nf_sock); +int netlink_echo_callback(const struct nlmsghdr *nlh, void *data); + #endif /* NFTABLES_NETLINK_H */ diff --git a/include/nftables.h b/include/nftables.h index 640d3c7e..ca609015 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -29,6 +29,7 @@ struct output_ctx { unsigned int stateless; unsigned int ip2name; unsigned int handle; + unsigned int echo; }; struct nft_ctx { -- cgit v1.2.3