From b0f6a45b25dd1b8e4ab0e3b2dd2a00d918ae29c0 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 3 Jul 2018 17:24:05 +0200 Subject: src: add --literal option Default not to print the service name as we discussed during the NFWS. # nft list ruleset table ip x { chain y { tcp dport 22 ip saddr 1.1.1.1 } } # nft -l list ruleset table ip x { chain y { tcp dport ssh ip saddr 1.1.1.1 } } # nft -ll list ruleset table ip x { chain y { tcp dport 22 ip saddr 1dot1dot1dot1.cloudflare-dns.com } } Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N) option. Signed-off-by: Pablo Neira Ayuso --- doc/libnftables.adoc | 14 ++++++------ include/nftables.h | 2 +- include/nftables/libnftables.h | 10 +++++++-- src/datatype.c | 10 ++++----- src/libnftables.c | 8 +++---- src/main.c | 25 ++++++++++++++++++++-- tests/shell/testcases/nft-f/0008split_tables_0 | 2 +- .../testcases/nft-f/dumps/0008split_tables_0.nft | 2 +- .../shell/testcases/nft-f/dumps/0009variable_0.nft | 4 ++-- .../shell/testcases/optionals/dumps/comments_0.nft | 2 +- .../optionals/dumps/comments_handles_0.nft | 2 +- .../shell/testcases/optionals/dumps/handles_0.nft | 2 +- .../shell/testcases/sets/dumps/0020comments_0.nft | 2 +- .../sets/dumps/0022type_selective_flush_0.nft | 2 +- .../testcases/sets/dumps/0025anonymous_set_0.nft | 2 +- .../testcases/sets/dumps/0026named_limit_0.nft | 2 +- 16 files changed, 59 insertions(+), 32 deletions(-) diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc index adfc9420..0387652f 100644 --- a/doc/libnftables.adoc +++ b/doc/libnftables.adoc @@ -25,8 +25,8 @@ void nft_ctx_output_set_numeric(struct nft_ctx* '\*ctx'*, bool nft_ctx_output_get_stateless(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_stateless(struct nft_ctx* '\*ctx'*, bool* 'val'*); -bool nft_ctx_output_get_ip2name(struct nft_ctx* '\*ctx'*); -void nft_ctx_output_set_ip2name(struct nft_ctx* '\*ctx'*, bool* 'val'*); +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx* '\*ctx'*); +void nft_ctx_output_set_literal(struct nft_ctx* '\*ctx'*, bool* 'val'*); unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*); void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*); @@ -133,14 +133,14 @@ The *nft_ctx_output_get_stateless*() function returns the stateless output setti The *nft_ctx_output_set_stateless*() function sets the stateless output setting in 'ctx' to the value of 'val'. -=== nft_ctx_output_get_ip2name() and nft_ctx_output_set_ip2name() -The ip2name setting controls whether reverse DNS lookups are performed for IP addresses when printing them. +=== nft_ctx_output_get_literal() and nft_ctx_output_set_literal() +The literal setting controls whether reverse DNS lookups are performed for IP addresses when printing them. Note that this may add significant delay to *list* commands depending on DNS resolver speed. -The default setting is *false*. +The default setting is *NFT_LITERAL_NONE*. -The *nft_ctx_output_get_ip2name*() function returns the ip2name output setting's value in 'ctx'. +The *nft_ctx_output_get_literal*() function returns the literal output setting's value in 'ctx'. -The *nft_ctx_output_set_ip2name*() function sets the ip2name output setting in 'ctx' to the value of 'val'. +The *nft_ctx_output_set_literal*() function sets the literal output setting in 'ctx' to the value of 'val'. === nft_ctx_output_get_debug() and nft_ctx_output_set_debug() Libnftables supports separate debugging of different parts of its internals. diff --git a/include/nftables.h b/include/nftables.h index 5e209b41..25e78c80 100644 --- a/include/nftables.h +++ b/include/nftables.h @@ -18,7 +18,7 @@ struct cookie { struct output_ctx { unsigned int numeric; unsigned int stateless; - unsigned int ip2name; + unsigned int literal; unsigned int handle; unsigned int echo; unsigned int json; diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h index 13ec3927..dee099f2 100644 --- a/include/nftables/libnftables.h +++ b/include/nftables/libnftables.h @@ -33,6 +33,12 @@ enum nft_numeric_level { NFT_NUMERIC_ALL, }; +enum nft_literal_level { + NFT_LITERAL_NONE, + NFT_LITERAL_PORT, + NFT_LITERAL_ADDR, +}; + /** * Possible flags to pass to nft_ctx_new() */ @@ -47,8 +53,8 @@ enum nft_numeric_level nft_ctx_output_get_numeric(struct nft_ctx *ctx); void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level); bool nft_ctx_output_get_stateless(struct nft_ctx *ctx); void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val); -bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx); -void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val); +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx); +void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val); unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx); void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask); bool nft_ctx_output_get_handle(struct nft_ctx *ctx); diff --git a/src/datatype.c b/src/datatype.c index 20904453..fbc3ac35 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -454,7 +454,7 @@ static void ipaddr_type_print(const struct expr *expr, struct output_ctx *octx) sin.sin_addr.s_addr = mpz_get_be32(expr->value); err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf, sizeof(buf), NULL, 0, - octx->ip2name ? 0 : NI_NUMERICHOST); + octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST); if (err != 0) { getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); @@ -512,7 +512,7 @@ static void ip6addr_type_print(const struct expr *expr, struct output_ctx *octx) err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf, sizeof(buf), NULL, 0, - octx->ip2name ? 0 : NI_NUMERICHOST); + octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST); if (err != 0) { getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf, sizeof(buf), NULL, 0, NI_NUMERICHOST); @@ -617,11 +617,11 @@ const struct datatype inet_protocol_type = { static void inet_service_type_print(const struct expr *expr, struct output_ctx *octx) { - if (octx->numeric >= NFT_NUMERIC_PORT) { - integer_type_print(expr, octx); + if (octx->literal == NFT_LITERAL_PORT) { + symbolic_constant_print(&inet_service_tbl, expr, false, octx); return; } - symbolic_constant_print(&inet_service_tbl, expr, false, octx); + integer_type_print(expr, octx); } static struct error_record *inet_service_type_parse(const struct expr *sym, diff --git a/src/libnftables.c b/src/libnftables.c index 9a97a3c5..656b0a1c 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -336,14 +336,14 @@ void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val) ctx->output.stateless = val; } -bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx) +enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx) { - return ctx->output.ip2name; + return ctx->output.literal; } -void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val) +void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val) { - ctx->output.ip2name = val; + ctx->output.literal = val; } unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx) diff --git a/src/main.c b/src/main.c index b2966a41..792136f5 100644 --- a/src/main.c +++ b/src/main.c @@ -35,13 +35,14 @@ enum opt_vals { OPT_NUMERIC = 'n', OPT_STATELESS = 's', OPT_IP2NAME = 'N', + OPT_LITERAL = 'l', OPT_DEBUG = 'd', OPT_HANDLE_OUTPUT = 'a', OPT_ECHO = 'e', OPT_INVALID = '?', }; -#define OPTSTRING "hvcf:iI:jvnsNae" +#define OPTSTRING "hvcf:iI:jvnsNael" static const struct option options[] = { { @@ -77,6 +78,10 @@ static const struct option options[] = { .name = "reversedns", .val = OPT_IP2NAME, }, + { + .name = "literal", + .val = OPT_LITERAL, + }, { .name = "includepath", .val = OPT_INCLUDEPATH, @@ -173,6 +178,7 @@ int main(int argc, char * const *argv) { char *buf = NULL, *filename = NULL; enum nft_numeric_level numeric; + enum nft_literal_level literal; bool interactive = false; unsigned int debug_mask; unsigned int len; @@ -224,7 +230,22 @@ int main(int argc, char * const *argv) nft_ctx_output_set_stateless(nft, true); break; case OPT_IP2NAME: - nft_ctx_output_set_ip2name(nft, true); + literal = nft_ctx_output_get_literal(nft); + if (literal + 2 > NFT_LITERAL_ADDR) { + fprintf(stderr, "Cannot combine `-N' with `-l'\n"); + exit(EXIT_FAILURE); + } + nft_ctx_output_set_literal(nft, literal + 2); + break; + case OPT_LITERAL: + literal = nft_ctx_output_get_literal(nft); + if (literal + 1 > NFT_LITERAL_ADDR) { + fprintf(stderr, "Too many `-l' options or " + "perhaps you combined `-l' " + "with `-N'?\n"); + exit(EXIT_FAILURE); + } + nft_ctx_output_set_literal(nft, literal + 1); break; case OPT_DEBUG: debug_mask = nft_ctx_output_get_debug(nft); diff --git a/tests/shell/testcases/nft-f/0008split_tables_0 b/tests/shell/testcases/nft-f/0008split_tables_0 index c4ca717f..2631aed4 100755 --- a/tests/shell/testcases/nft-f/0008split_tables_0 +++ b/tests/shell/testcases/nft-f/0008split_tables_0 @@ -5,7 +5,7 @@ set -e RULESET="table inet filter { chain ssh { type filter hook input priority 0; policy accept; - tcp dport ssh accept; + tcp dport 22 accept; } } diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft index 1211411f..1ab6e864 100644 --- a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -1,7 +1,7 @@ table inet filter { chain ssh { type filter hook input priority 0; policy accept; - tcp dport ssh accept + tcp dport 22 accept } chain input { diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft index a793751b..7f59a273 100644 --- a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -1,7 +1,7 @@ table inet forward { set concat-set-variable { type ipv4_addr . inet_service - elements = { 10.10.10.10 . smtp, - 10.10.10.10 . imap2 } + elements = { 10.10.10.10 . 25, + 10.10.10.10 . 143 } } } diff --git a/tests/shell/testcases/optionals/dumps/comments_0.nft b/tests/shell/testcases/optionals/dumps/comments_0.nft index 416a07e0..f47e0d51 100644 --- a/tests/shell/testcases/optionals/dumps/comments_0.nft +++ b/tests/shell/testcases/optionals/dumps/comments_0.nft @@ -1,5 +1,5 @@ table ip test { chain test { - tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" } } diff --git a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft index 416a07e0..f47e0d51 100644 --- a/tests/shell/testcases/optionals/dumps/comments_handles_0.nft +++ b/tests/shell/testcases/optionals/dumps/comments_handles_0.nft @@ -1,5 +1,5 @@ table ip test { chain test { - tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment" + tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment" } } diff --git a/tests/shell/testcases/optionals/dumps/handles_0.nft b/tests/shell/testcases/optionals/dumps/handles_0.nft index eb0af811..085c6cf1 100644 --- a/tests/shell/testcases/optionals/dumps/handles_0.nft +++ b/tests/shell/testcases/optionals/dumps/handles_0.nft @@ -1,5 +1,5 @@ table ip test { chain test { - tcp dport ssh counter packets 0 bytes 0 accept + tcp dport 22 counter packets 0 bytes 0 accept } } diff --git a/tests/shell/testcases/sets/dumps/0020comments_0.nft b/tests/shell/testcases/sets/dumps/0020comments_0.nft index d5330848..8b7d60aa 100644 --- a/tests/shell/testcases/sets/dumps/0020comments_0.nft +++ b/tests/shell/testcases/sets/dumps/0020comments_0.nft @@ -1,6 +1,6 @@ table inet t { set s { type inet_service - elements = { ssh comment "test" } + elements = { 22 comment "test" } } } diff --git a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft index 58c213ff..e518906c 100644 --- a/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft +++ b/tests/shell/testcases/sets/dumps/0022type_selective_flush_0.nft @@ -8,6 +8,6 @@ table ip t { } chain c { - tcp dport http meter f size 1024 { ip saddr limit rate 10/second} + tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second} } } diff --git a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft index c823ae9d..78b7dec5 100644 --- a/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft +++ b/tests/shell/testcases/sets/dumps/0025anonymous_set_0.nft @@ -2,6 +2,6 @@ table ip t { chain c { type filter hook output priority 0; policy accept; ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 } - tcp dport { ssh, telnet } counter packets 0 bytes 0 + tcp dport { 22, 23 } counter packets 0 bytes 0 } } diff --git a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft index 0d1f1254..5d63ab20 100644 --- a/tests/shell/testcases/sets/dumps/0026named_limit_0.nft +++ b/tests/shell/testcases/sets/dumps/0026named_limit_0.nft @@ -5,6 +5,6 @@ table ip filter { chain input { type filter hook input priority 0; policy accept; - limit name tcp dport map { http : "http-traffic", https : "http-traffic" } + limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" } } } -- cgit v1.2.3