From a42d2865bc7e96fe63276e22acd523d996aaf0a4 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 24 Oct 2018 17:37:47 +0200
Subject: src: Revert --literal, add -S/--service

This is a partial revert of b0f6a45b25dd1 ("src: add --literal option")
which was added during the development cycle before 0.9.1 is released.

After looking at patch: https://patchwork.ozlabs.org/patch/969864/ that
allows to print priority, uid, gid and protocols as numerics, I decided
to revisit this to provide individual options to turn on literal
printing.

What I'm proposing is to provide a good default for everyone, and
provide options to turn on literal/numeric printing.

This patch adds nft_ctx_output_{set,get}_flags() and define two flags to
enable reverse DNS lookups and to print ports as service names.

This patch introduces -S/--services, to print service names as per
/etc/services.

Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/datatype.c    |  6 +++---
 src/expression.c  |  6 ++++--
 src/json.c        |  7 ++++---
 src/libnftables.c |  8 ++++----
 src/main.c        | 31 +++++++++++--------------------
 5 files changed, 26 insertions(+), 32 deletions(-)

(limited to 'src')

diff --git a/src/datatype.c b/src/datatype.c
index 50af3df0..48eaca27 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -454,7 +454,7 @@ static void ipaddr_type_print(const struct expr *expr, struct output_ctx *octx)
 	sin.sin_addr.s_addr = mpz_get_be32(expr->value);
 	err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
 			  sizeof(buf), NULL, 0,
-			  octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
+			  nft_output_reversedns(octx) ? 0 : NI_NUMERICHOST);
 	if (err != 0) {
 		getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
@@ -512,7 +512,7 @@ static void ip6addr_type_print(const struct expr *expr, struct output_ctx *octx)
 
 	err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
 			  sizeof(buf), NULL, 0,
-			  octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
+			  nft_output_reversedns(octx) ? 0 : NI_NUMERICHOST);
 	if (err != 0) {
 		getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
@@ -648,7 +648,7 @@ static void inet_service_print(const struct expr *expr, struct output_ctx *octx)
 
 void inet_service_type_print(const struct expr *expr, struct output_ctx *octx)
 {
-	if (octx->literal >= NFT_LITERAL_PORT) {
+	if (nft_output_service(octx)) {
 		inet_service_print(expr, octx);
 		return;
 	}
diff --git a/src/expression.c b/src/expression.c
index 0bd51122..d1d6bee4 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -660,11 +660,13 @@ void relational_expr_pctx_update(struct proto_ctx *ctx,
 
 static void range_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
-	octx->numeric += NFT_NUMERIC_ALL + 1;
+	unsigned int flags = octx->flags;
+
+	octx->flags &= ~NFT_CTX_OUTPUT_SERVICE;
 	expr_print(expr->left, octx);
 	nft_print(octx, "-");
 	expr_print(expr->right, octx);
-	octx->numeric -= NFT_NUMERIC_ALL + 1;
+	octx->flags = flags;
 }
 
 static void range_expr_clone(struct expr *new, const struct expr *expr)
diff --git a/src/json.c b/src/json.c
index f08a3b64..5c426ce7 100644
--- a/src/json.c
+++ b/src/json.c
@@ -444,13 +444,14 @@ json_t *relational_expr_json(const struct expr *expr, struct output_ctx *octx)
 
 json_t *range_expr_json(const struct expr *expr, struct output_ctx *octx)
 {
+	unsigned int flags = octx->flags;
 	json_t *root;
 
-	octx->numeric += NFT_NUMERIC_ALL + 1;
+	octx->flags &= ~NFT_CTX_OUTPUT_SERVICE;
 	root = json_pack("{s:[o, o]}", "range",
 			 expr_print_json(expr->left, octx),
 			 expr_print_json(expr->right, octx));
-	octx->numeric -= NFT_NUMERIC_ALL + 1;
+	octx->flags = flags;
 
 	return root;
 }
@@ -976,7 +977,7 @@ json_t *inet_service_type_json(const struct expr *expr, struct output_ctx *octx)
 	};
 	char buf[NI_MAXSERV];
 
-	if (octx->literal < NFT_LITERAL_PORT ||
+	if (!nft_output_service(octx) ||
 	    getnameinfo((struct sockaddr *)&sin, sizeof(sin),
 		        NULL, 0, buf, sizeof(buf), 0))
 		return json_integer(ntohs(sin.sin_port));
diff --git a/src/libnftables.c b/src/libnftables.c
index 2f67bb34..06d7c177 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -333,14 +333,14 @@ void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val)
 	ctx->output.stateless = val;
 }
 
-enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx)
+unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx)
 {
-	return ctx->output.literal;
+	return ctx->output.flags;
 }
 
-void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val)
+void nft_ctx_output_set_flags(struct nft_ctx *ctx, unsigned int flags)
 {
-	ctx->output.literal = val;
+	ctx->output.flags = flags;
 }
 
 unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx)
diff --git a/src/main.c b/src/main.c
index 792136f5..86c8fe88 100644
--- a/src/main.c
+++ b/src/main.c
@@ -35,14 +35,14 @@ enum opt_vals {
 	OPT_NUMERIC		= 'n',
 	OPT_STATELESS		= 's',
 	OPT_IP2NAME		= 'N',
-	OPT_LITERAL		= 'l',
+	OPT_SERVICE		= 'S',
 	OPT_DEBUG		= 'd',
 	OPT_HANDLE_OUTPUT	= 'a',
 	OPT_ECHO		= 'e',
 	OPT_INVALID		= '?',
 };
 
-#define OPTSTRING	"hvcf:iI:jvnsNael"
+#define OPTSTRING	"hvcf:iI:jvnsNaeS"
 
 static const struct option options[] = {
 	{
@@ -79,8 +79,8 @@ static const struct option options[] = {
 		.val		= OPT_IP2NAME,
 	},
 	{
-		.name		= "literal",
-		.val		= OPT_LITERAL,
+		.name		= "service",
+		.val		= OPT_SERVICE,
 	},
 	{
 		.name		= "includepath",
@@ -128,6 +128,7 @@ static void show_help(const char *name)
 "				Specify three times to also show protocols, user IDs, and group IDs numerically.\n"
 "  -s, --stateless		Omit stateful information of ruleset.\n"
 "  -N				Translate IP addresses to names.\n"
+"  -S, --service			Translate ports to service names as described in /etc/services.\n"
 "  -a, --handle			Output rule handle.\n"
 "  -e, --echo			Echo what has been added, inserted or replaced.\n"
 "  -I, --includepath <directory>	Add <directory> to the paths searched for include files. Default is: %s\n"
@@ -178,7 +179,7 @@ int main(int argc, char * const *argv)
 {
 	char *buf = NULL, *filename = NULL;
 	enum nft_numeric_level numeric;
-	enum nft_literal_level literal;
+	unsigned int output_flags = 0;
 	bool interactive = false;
 	unsigned int debug_mask;
 	unsigned int len;
@@ -230,22 +231,10 @@ int main(int argc, char * const *argv)
 			nft_ctx_output_set_stateless(nft, true);
 			break;
 		case OPT_IP2NAME:
-			literal = nft_ctx_output_get_literal(nft);
-			if (literal + 2 > NFT_LITERAL_ADDR) {
-				fprintf(stderr, "Cannot combine `-N' with `-l'\n");
-				exit(EXIT_FAILURE);
-			}
-			nft_ctx_output_set_literal(nft, literal + 2);
+			output_flags |= NFT_CTX_OUTPUT_REVERSEDNS;
 			break;
-		case OPT_LITERAL:
-			literal = nft_ctx_output_get_literal(nft);
-			if (literal + 1 > NFT_LITERAL_ADDR) {
-				fprintf(stderr, "Too many `-l' options or "
-						"perhaps you combined `-l' "
-						"with `-N'?\n");
-				exit(EXIT_FAILURE);
-			}
-			nft_ctx_output_set_literal(nft, literal + 1);
+		case OPT_SERVICE:
+			output_flags |= NFT_CTX_OUTPUT_SERVICE;
 			break;
 		case OPT_DEBUG:
 			debug_mask = nft_ctx_output_get_debug(nft);
@@ -290,6 +279,8 @@ int main(int argc, char * const *argv)
 		}
 	}
 
+	nft_ctx_output_set_flags(nft, output_flags);
+
 	if (optind != argc) {
 		for (len = 0, i = optind; i < argc; i++)
 			len += strlen(argv[i]) + strlen(" ");
-- 
cgit v1.2.3