From 3c69cf7603534ef6df01ec079c6a4d3d3382f580 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 27 Oct 2018 11:55:00 +0200 Subject: src: add nft_ctx_output_{get,set}_handle() to nft_ctx_output_{get,set}_flags Add NFT_CTX_OUTPUT_HANDLE flag and print handle that uniquely identify objects from new output flags interface. Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- doc/libnftables.adoc | 20 ++++++-------------- include/nftables.h | 6 +++++- include/nftables/libnftables.h | 3 +-- src/libnftables.c | 10 ---------- src/main.c | 2 +- src/monitor.c | 2 +- src/rule.c | 22 +++++++++++----------- 7 files changed, 25 insertions(+), 40 deletions(-) diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc index c0ce5be2..dbd38bdd 100644 --- a/doc/libnftables.adoc +++ b/doc/libnftables.adoc @@ -28,9 +28,6 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*, unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*); -bool nft_ctx_output_get_handle(struct nft_ctx* '\*ctx'*); -void nft_ctx_output_set_handle(struct nft_ctx* '\*ctx'*, bool* 'val'*); - bool nft_ctx_output_get_echo(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_echo(struct nft_ctx* '\*ctx'*, bool* 'val'*); @@ -96,6 +93,7 @@ enum { NFT_CTX_OUTPUT_REVERSEDNS = (1 << 0), NFT_CTX_OUTPUT_SERVICE = (1 << 1), NFT_CTX_OUTPUT_STATELESS = (1 << 2), + NFT_CTX_OUTPUT_HANDLE = (1 << 3), }; ---- @@ -106,6 +104,11 @@ NFT_CTX_OUTPUT_SERVICE:: NFT_CTX_OUTPUT_STATELESS:: If stateless output has been requested then stateful data is not printed. Stateful data refers to those objects that carry run-time data, eg. the *counter* statement holds packet and byte counter values, making it stateful. +NFT_CTX_OUTPUT_HANDLE:: + Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes. +For example, when deleting a table or chain, it may be identified either by name or handle. +Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them. +This flag makes ruleset listings include handle values. The *nft_ctx_output_get_flags*() function returns the output flags setting's value in 'ctx'. @@ -178,17 +181,6 @@ The *nft_ctx_output_get_debug*() function returns the debug output setting's val The *nft_ctx_output_set_debug*() function sets the debug output setting in 'ctx' to the value of 'mask'. -=== nft_ctx_output_get_handle() and nft_ctx_output_set_handle() -Upon insertion into the ruleset, some elements are assigned a unique handle for identification purposes. -For example, when deleting a table or chain, it may be identified either by name or handle. -Rules on the other hand must be deleted by handle because there is no other way to uniquely identify them. -These functions allow to control whether ruleset listings should include handles or not. -The default setting is *false*. - -The *nft_ctx_output_get_handle*() function returns the handle output setting's value in 'ctx'. - -The *nft_ctx_output_set_handle*() function sets the handle output setting in 'ctx' to the value of 'val'. - === nft_ctx_output_get_echo() and nft_ctx_output_set_echo() The echo setting makes libnftables print the changes once they are committed to the kernel, just like a running instance of *nft monitor* would. Amongst other things, this allows to retrieve an added rule's handle atomically. diff --git a/include/nftables.h b/include/nftables.h index cb36e066..e0e7a113 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -18,7 +18,6 @@ struct cookie { struct output_ctx { unsigned int flags; unsigned int numeric; - unsigned int handle; unsigned int echo; unsigned int json; union { @@ -46,6 +45,11 @@ static inline bool nft_output_stateless(const struct output_ctx *octx) return octx->flags & NFT_CTX_OUTPUT_STATELESS; } +static inline bool nft_output_handle(const struct output_ctx *octx) +{ + return octx->flags & NFT_CTX_OUTPUT_HANDLE; +} + struct nft_cache { uint16_t genid; struct list_head list; diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 4f1c1090..a6ce9383 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -48,6 +48,7 @@ enum { NFT_CTX_OUTPUT_REVERSEDNS = (1 << 0), NFT_CTX_OUTPUT_SERVICE = (1 << 1), NFT_CTX_OUTPUT_STATELESS = (1 << 2), + NFT_CTX_OUTPUT_HANDLE = (1 << 3), }; unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx); @@ -57,8 +58,6 @@ enum nft_numeric_level nft_ctx_output_get_numeric(struct nft_ctx *ctx); void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level); unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx); void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask); -bool nft_ctx_output_get_handle(struct nft_ctx *ctx); -void nft_ctx_output_set_handle(struct nft_ctx *ctx, bool val); bool nft_ctx_output_get_echo(struct nft_ctx *ctx); void nft_ctx_output_set_echo(struct nft_ctx *ctx, bool val); bool nft_ctx_output_get_json(struct nft_ctx *ctx); diff --git a/src/libnftables.c b/src/libnftables.c index 35e755e9..6dc1be3d 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -342,16 +342,6 @@ void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask) ctx->debug_mask = mask; } -bool nft_ctx_output_get_handle(struct nft_ctx *ctx) -{ - return ctx->output.handle; -} - -void nft_ctx_output_set_handle(struct nft_ctx *ctx, bool val) -{ - ctx->output.handle = val; -} - bool nft_ctx_output_get_echo(struct nft_ctx *ctx) { return ctx->output.echo; diff --git a/src/main.c b/src/main.c index 384bde5c..7cf3bb68 100644 --- a/src/main.c +++ b/src/main.c @@ -266,7 +266,7 @@ int main(int argc, char * const *argv) nft_ctx_output_set_debug(nft, debug_mask); break; case OPT_HANDLE_OUTPUT: - nft_ctx_output_set_handle(nft, true); + output_flags |= NFT_CTX_OUTPUT_HANDLE; break; case OPT_ECHO: nft_ctx_output_set_echo(nft, true); diff --git a/src/monitor.c b/src/monitor.c index 88a61de4..9e3c43dc 100644 --- a/src/monitor.c +++ b/src/monitor.c @@ -214,7 +214,7 @@ static int netlink_events_table_cb(const struct nlmsghdr *nlh, int type, nft_mon_print(monh, "%s %s", family2str(t->handle.family), t->handle.table.name); - if (monh->ctx->nft->output.handle > 0) + if (nft_output_handle(&monh->ctx->nft->output)) nft_mon_print(monh, " # handle %" PRIu64 "", t->handle.handle.id); break; diff --git a/src/rule.c b/src/rule.c index 35c60de4..da1bdc44 100644 --- a/src/rule.c +++ b/src/rule.c @@ -412,7 +412,7 @@ static void set_print_declaration(const struct set *set, nft_print(octx, " %s {", set->handle.set.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, set->handle.handle.id); nft_print(octx, "%s", opts->nl); nft_print(octx, "%s%stype %s", @@ -567,7 +567,7 @@ void rule_print(const struct rule *rule, struct output_ctx *octx) if (rule->comment) nft_print(octx, " comment \"%s\"", rule->comment); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, rule->handle.handle.id); } @@ -995,7 +995,7 @@ static void chain_print_declaration(const struct chain *chain, char priobuf[STD_PRIO_BUFSIZE]; nft_print(octx, "\tchain %s {", chain->handle.chain.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id); nft_print(octx, "\n"); if (chain->flags & CHAIN_F_BASECHAIN) { @@ -1040,7 +1040,7 @@ void chain_print_plain(const struct chain *chain, struct output_ctx *octx) chain->priority.num, octx->numeric), chain_policy2str(chain->policy)); } - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, chain->handle.handle.id); } @@ -1137,7 +1137,7 @@ static void table_print(const struct table *table, struct output_ctx *octx) const char *family = family2str(table->handle.family); nft_print(octx, "table %s %s {", family, table->handle.table.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, table->handle.handle.id); nft_print(octx, "\n"); table_print_options(table, &delim, octx); @@ -1680,7 +1680,7 @@ static void obj_print_data(const struct obj *obj, switch (obj->type) { case NFT_OBJECT_COUNTER: nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab); if (nft_output_stateless(octx)) { @@ -1695,7 +1695,7 @@ static void obj_print_data(const struct obj *obj, uint64_t bytes; nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab); data_unit = get_rate(obj->quota.bytes, &bytes); @@ -1712,14 +1712,14 @@ static void obj_print_data(const struct obj *obj, break; case NFT_OBJECT_SECMARK: nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab); nft_print(octx, "%s", obj->secmark.ctx); break; case NFT_OBJECT_CT_HELPER: nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s", opts->nl); nft_print(octx, "%s%stype \"%s\" protocol ", @@ -1733,7 +1733,7 @@ static void obj_print_data(const struct obj *obj, break; case NFT_OBJECT_CT_TIMEOUT: nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s", opts->nl); nft_print(octx, "%s%sprotocol ", opts->tab, opts->tab); @@ -1752,7 +1752,7 @@ static void obj_print_data(const struct obj *obj, uint64_t rate; nft_print(octx, " %s {", obj->handle.obj.name); - if (octx->handle > 0) + if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, obj->handle.handle.id); nft_print(octx, "%s%s%s", opts->nl, opts->tab, opts->tab); switch (obj->limit.type) { -- cgit v1.2.3