xtables: Match verbose ip{,6}tables output with legacy

Legacy ip{,6}tables prints feedback for various commands if in verbose
mode, make sure nft variants do the same.

There is one difference, namely when checking a rule (-C command):
Legacy ip{,6}tables print the rule in any case, nft variants don't in
case the rule wasn't found. Changing this though would require to
populate the nftnl_rule object just for printing, which is probably not
feasible.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 31 insertions, 8 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index 154ae19c..ea58495b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1176,6 +1176,9 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
 	if (batch_rule_add(h, type, r) < 0)
 		nftnl_rule_free(r);
 
+	if (verbose)
+		h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+
 	if (!nft_rule_list_get(h))
 		return 0;
 
@@ -1474,7 +1477,8 @@ int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
 	return 1;
 }
 
-int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
+int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
+		   bool verbose)
 {
 	int ret = 0;
 	struct nftnl_chain_list *list;
@@ -1511,6 +1515,9 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
 		if (chain != NULL && strcmp(chain, chain_name) != 0)
 			goto next;
 
+		if (verbose)
+			fprintf(stdout, "Flushing chain `%s'\n", chain_name);
+
 		__nft_rule_flush(h, table_name, chain_name);
 
 		if (chain != NULL)
@@ -1558,7 +1565,8 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
 #define NLM_F_NONREC	0x100	/* Do not delete recursively    */
 #endif
 
-int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table)
+int nft_chain_user_del(struct nft_handle *h, const char *chain,
+		       const char *table, bool verbose)
 {
 	struct nftnl_chain_list *list;
 	struct nftnl_chain_list_iter *iter;
@@ -1593,6 +1601,9 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *tabl
 		if (chain != NULL && strcmp(chain, chain_name) != 0)
 			goto next;
 
+		if (verbose)
+			fprintf(stdout, "Deleting chain `%s'\n", chain);
+
 		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
 
 		if (ret < 0)
@@ -1958,7 +1969,7 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
 		   const char *table, void *data, bool verbose)
 {
 	struct nftnl_rule_list *list;
-	int ret;
+	struct nftnl_rule *r;
 
 	nft_fn = nft_rule_check;
 
@@ -1966,11 +1977,15 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
 	if (list == NULL)
 		return 0;
 
-	ret = nft_rule_find(h, list, chain, table, data, -1) ? 1 : 0;
-	if (ret == 0)
+	r = nft_rule_find(h, list, chain, table, data, -1);
+	if (r == NULL) {
 		errno = ENOENT;
+		return 0;
+	}
+	if (verbose)
+		h->ops->print_rule(r, 0, FMT_PRINT_RULE);
 
-	return ret;
+	return 1;
 }
 
 int nft_rule_delete(struct nft_handle *h, const char *chain,
@@ -1991,6 +2006,8 @@ int nft_rule_delete(struct nft_handle *h, const char *chain,
 		ret =__nft_rule_del(h, list, r);
 		if (ret < 0)
 			errno = ENOMEM;
+		if (verbose)
+			h->ops->print_rule(r, 0, FMT_PRINT_RULE);
 	} else
 		errno = ENOENT;
 
@@ -2016,6 +2033,9 @@ nft_rule_add(struct nft_handle *h, const char *chain,
 		return NULL;
 	}
 
+	if (verbose)
+		h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+
 	return r;
 }
 
@@ -2894,8 +2914,8 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 	return h->config_done;
 }
 
-int nft_chain_zero_counters(struct nft_handle *h, const char *chain, 
-			    const char *table)
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
+			    const char *table, bool verbose)
 {
 	struct nftnl_chain_list *list;
 	struct nftnl_chain_list_iter *iter;
@@ -2923,6 +2943,9 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
 		if (chain != NULL && strcmp(chain, chain_name) != 0)
 			goto next;
 
+		if (verbose)
+			fprintf(stdout, "Zeroing chain `%s'\n", chain_name);
+
 		nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);
 		nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);