src: add --literal option

Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2018-07-03 17:24:05 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-07-07 20:53:11 +0200
commit: b0f6a45b25dd1b8e4ab0e3b2dd2a00d918ae29c0 (patch)
tree: d2d457d0b8384aee1f7a6d176c21ec9cf8814db6
parent: 1dc9be8445265498a2db534ae254260b6e7dd75b (diff)
16 files changed, 59 insertions, 32 deletions
diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index adfc9420..0387652f 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -25,8 +25,8 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*,
 bool nft_ctx_output_get_stateless(struct nft_ctx* '\*ctx'*);
 void nft_ctx_output_set_stateless(struct nft_ctx* '\*ctx'*, bool* 'val'*);
 
-bool nft_ctx_output_get_ip2name(struct nft_ctx* '\*ctx'*);
-void nft_ctx_output_set_ip2name(struct nft_ctx* '\*ctx'*, bool* 'val'*);
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx* '\*ctx'*);
+void nft_ctx_output_set_literal(struct nft_ctx* '\*ctx'*, bool* 'val'*);
 
 unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*);
 void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*);
@@ -133,14 +133,14 @@ The *nft_ctx_output_get_stateless*() function returns the stateless output setti
 
 The *nft_ctx_output_set_stateless*() function sets the stateless output setting in 'ctx' to the value of 'val'.
 
-=== nft_ctx_output_get_ip2name() and nft_ctx_output_set_ip2name()
-The ip2name setting controls whether reverse DNS lookups are performed for IP addresses when printing them.
+=== nft_ctx_output_get_literal() and nft_ctx_output_set_literal()
+The literal setting controls whether reverse DNS lookups are performed for IP addresses when printing them.
 Note that this may add significant delay to *list* commands depending on DNS resolver speed.
-The default setting is *false*.
+The default setting is *NFT_LITERAL_NONE*.
 
-The *nft_ctx_output_get_ip2name*() function returns the ip2name output setting's value in 'ctx'.
+The *nft_ctx_output_get_literal*() function returns the literal output setting's value in 'ctx'.
 
-The *nft_ctx_output_set_ip2name*() function sets the ip2name output setting in 'ctx' to the value of 'val'.
+The *nft_ctx_output_set_literal*() function sets the literal output setting in 'ctx' to the value of 'val'.
 
 === nft_ctx_output_get_debug() and nft_ctx_output_set_debug()
 Libnftables supports separate debugging of different parts of its internals.
diff --git a/include/nftables.h b/include/nftables.h
index 5e209b41..25e78c80 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -18,7 +18,7 @@ struct cookie {
 struct output_ctx {
 	unsigned int numeric;
 	unsigned int stateless;
-	unsigned int ip2name;
+	unsigned int literal;
 	unsigned int handle;
 	unsigned int echo;
 	unsigned int json;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 13ec3927..dee099f2 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -33,6 +33,12 @@ enum nft_numeric_level {
 	NFT_NUMERIC_ALL,
 };
 
+enum nft_literal_level {
+	NFT_LITERAL_NONE,
+	NFT_LITERAL_PORT,
+	NFT_LITERAL_ADDR,
+};
+
 /**
  * Possible flags to pass to nft_ctx_new()
  */
@@ -47,8 +53,8 @@ enum nft_numeric_level nft_ctx_output_get_numeric(struct nft_ctx *ctx);
 void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level);
 bool nft_ctx_output_get_stateless(struct nft_ctx *ctx);
 void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val);
-bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx);
-void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val);
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx);
+void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val);
 unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx);
 void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask);
 bool nft_ctx_output_get_handle(struct nft_ctx *ctx);
diff --git a/src/datatype.c b/src/datatype.c
index 20904453..fbc3ac35 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -454,7 +454,7 @@ static void ipaddr_type_print(const struct expr *expr, struct output_ctx *octx)
 	sin.sin_addr.s_addr = mpz_get_be32(expr->value);
 	err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
 			  sizeof(buf), NULL, 0,
-			  octx->ip2name ? 0 : NI_NUMERICHOST);
+			  octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
 	if (err != 0) {
 		getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
@@ -512,7 +512,7 @@ static void ip6addr_type_print(const struct expr *expr, struct output_ctx *octx)
 
 	err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
 			  sizeof(buf), NULL, 0,
-			  octx->ip2name ? 0 : NI_NUMERICHOST);
+			  octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
 	if (err != 0) {
 		getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
@@ -617,11 +617,11 @@ const struct datatype inet_protocol_type = {
 static void inet_service_type_print(const struct expr *expr,
 				     struct output_ctx *octx)
 {
-	if (octx->numeric >= NFT_NUMERIC_PORT) {
-		integer_type_print(expr, octx);
+	if (octx->literal == NFT_LITERAL_PORT) {
+		symbolic_constant_print(&inet_service_tbl, expr, false, octx);
 		return;
 	}
-	symbolic_constant_print(&inet_service_tbl, expr, false, octx);
+	integer_type_print(expr, octx);
 }
 
 static struct error_record *inet_service_type_parse(const struct expr *sym,
diff --git a/src/libnftables.c b/src/libnftables.c
index 9a97a3c5..656b0a1c 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -336,14 +336,14 @@ void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val)
 	ctx->output.stateless = val;
 }
 
-bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx)
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx)
 {
-	return ctx->output.ip2name;
+	return ctx->output.literal;
 }
 
-void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val)
+void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val)
 {
-	ctx->output.ip2name = val;
+	ctx->output.literal = val;
 }
 
 unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx)
diff --git a/src/main.c b/src/main.c
index b2966a41..792136f5 100644
--- a/src/main.c
+++ b/src/main.c
@@ -35,13 +35,14 @@ enum opt_vals {
 	OPT_NUMERIC		= 'n',
 	OPT_STATELESS		= 's',
 	OPT_IP2NAME		= 'N',
+	OPT_LITERAL		= 'l',
 	OPT_DEBUG		= 'd',
 	OPT_HANDLE_OUTPUT	= 'a',
 	OPT_ECHO		= 'e',
 	OPT_INVALID		= '?',
 };
 
-#define OPTSTRING	"hvcf:iI:jvnsNae"
+#define OPTSTRING	"hvcf:iI:jvnsNael"
 
 static const struct option options[] = {
 	{
@@ -78,6 +79,10 @@ static const struct option options[] = {
 		.val		= OPT_IP2NAME,
 	},
 	{
+		.name		= "literal",
+		.val		= OPT_LITERAL,
+	},
+	{
 		.name		= "includepath",
 		.val		= OPT_INCLUDEPATH,
 		.has_arg	= 1,
@@ -173,6 +178,7 @@ int main(int argc, char * const *argv)
 {
 	char *buf = NULL, *filename = NULL;
 	enum nft_numeric_level numeric;
+	enum nft_literal_level literal;
 	bool interactive = false;
 	unsigned int debug_mask;
 	unsigned int len;
@@ -224,7 +230,22 @@ int main(int argc, char * const *argv)
 			nft_ctx_output_set_stateless(nft, true);
 			break;
 		case OPT_IP2NAME:
-			nft_ctx_output_set_ip2name(nft, true);
+			literal = nft_ctx_output_get_literal(nft);
+			if (literal + 2 > NFT_LITERAL_ADDR) {
+				fprintf(stderr, "Cannot combine `-N' with `-l'\n");
+				exit(EXIT_FAILURE);
+			}
+			nft_ctx_output_set_literal(nft, literal + 2);
+			break;
+		case OPT_LITERAL:
+			literal = nft_ctx_output_get_literal(nft);
+			if (literal + 1 > NFT_LITERAL_ADDR) {
+				fprintf(stderr, "Too many `-l' options or "
+						"perhaps you combined `-l' "
+						"with `-N'?\n");
+				exit(EXIT_FAILURE);
+			}
+			nft_ctx_output_set_literal(nft, literal + 1);
 			break;
 		case OPT_DEBUG:
 			debug_mask = nft_ctx_output_get_debug(nft);
diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0
index c4ca717f..2631aed4 100755
--- a/tests/shell/testcases/nft-f/0008split_tables_0
+++ b/tests/shell/testcases/nft-f/0008split_tables_0
@@ -5,7 +5,7 @@ set -e
 RULESET="table inet filter {
 	chain ssh {
 		type filter hook input priority 0; policy accept;
-		tcp dport ssh accept;
+		tcp dport 22 accept;
 	}
 }
 
diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft
index 1211411f..1ab6e864 100644
--- a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft
@@ -1,7 +1,7 @@
 table inet filter {
 	chain ssh {
 		type filter hook input priority 0; policy accept;
-		tcp dport ssh accept
+		tcp dport 22 accept
 	}
 
 	chain input {
diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft
index a793751b..7f59a273 100644
--- a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft
+++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft
@@ -1,7 +1,7 @@
 table inet forward {
 	set concat-set-variable {
 		type ipv4_addr . inet_service
-		elements = { 10.10.10.10 . smtp,
-			     10.10.10.10 . imap2 }
+		elements = { 10.10.10.10 . 25,
+			     10.10.10.10 . 143 }
 	}
 }
diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft
index 416a07e0..f47e0d51 100644
--- a/tests/shell/testcases/optionals/dumps/comments_0.nft
+++ b/tests/shell/testcases/optionals/dumps/comments_0.nft
@@ -1,5 +1,5 @@
 table ip test {
 	chain test {
-		tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment"
+		tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
 	}
 }
diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft
index 416a07e0..f47e0d51 100644
--- a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft
+++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft
@@ -1,5 +1,5 @@
 table ip test {
 	chain test {
-		tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment"
+		tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
 	}
 }
diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft
index eb0af811..085c6cf1 100644
--- a/tests/shell/testcases/optionals/dumps/handles_0.nft
+++ b/tests/shell/testcases/optionals/dumps/handles_0.nft
@@ -1,5 +1,5 @@
 table ip test {
 	chain test {
-		tcp dport ssh counter packets 0 bytes 0 accept
+		tcp dport 22 counter packets 0 bytes 0 accept
 	}
 }
diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft
index d5330848..8b7d60aa 100644
--- a/tests/shell/testcases/sets/dumps/0020comments_0.nft
+++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft
@@ -1,6 +1,6 @@
 table inet t {
 	set s {
 		type inet_service
-		elements = { ssh comment "test" }
+		elements = { 22 comment "test" }
 	}
 }
diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
index 58c213ff..e518906c 100644
--- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
+++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft
@@ -8,6 +8,6 @@ table ip t {
 	}
 
 	chain c {
-		tcp dport http meter f size 1024 { ip saddr limit rate 10/second} 
+		tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second} 
 	}
 }
diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
index c823ae9d..78b7dec5 100644
--- a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
+++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft
@@ -2,6 +2,6 @@ table ip t {
 	chain c {
 		type filter hook output priority 0; policy accept;
 		ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 }
-		tcp dport { ssh, telnet } counter packets 0 bytes 0
+		tcp dport { 22, 23 } counter packets 0 bytes 0
 	}
 }
diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft
index 0d1f1254..5d63ab20 100644
--- a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft
+++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft
@@ -5,6 +5,6 @@ table ip filter {
 
 	chain input {
 		type filter hook input priority 0; policy accept;
-		limit name tcp dport map { http : "http-traffic", https : "http-traffic" }
+		limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" }
 	}
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2018-07-03 17:24:05 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-07-07 20:53:11 +0200
commit	b0f6a45b25dd1b8e4ab0e3b2dd2a00d918ae29c0 (patch)
tree	d2d457d0b8384aee1f7a6d176c21ec9cf8814db6
parent	1dc9be8445265498a2db534ae254260b6e7dd75b (diff)