nft: save: fix the printing of the counters

This patch prints the counters of a rule before the details,
like iptables-save syntax.

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 562a1a29a9b4e4e0f5614e83a362481e8495abf3..8c06243527f0b7b105c4d6573d2687c7e38cadad 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -599,12 +599,6 @@ static void nft_arp_save_firewall(const void *data,
 
        print_fw_details((struct arpt_entry *)fw, format);
 
-       if (!(format & FMT_NOCOUNTS)) {
-               printf("-c ");
-               xtables_print_num(fw->counters.pcnt, format);
-               xtables_print_num(fw->counters.bcnt, format);
-       }
-
        target = get_target((struct arpt_entry *)fw, format);
 
        if (target) {
@@ -680,6 +674,13 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nft_rule *r,
        return true;
 }
 
+static void nft_arp_save_counters(const void *data)
+{
+       const struct arpt_entry *fw = data;
+
+       save_counters(fw->counters.pcnt, fw->counters.bcnt);
+}
+
 struct nft_family_ops nft_family_ops_arp = {
        .add                    = nft_arp_add,
        .is_same                = nft_arp_is_same,
@@ -689,6 +690,7 @@ struct nft_family_ops nft_family_ops_arp = {
        .parse_immediate        = nft_arp_parse_immediate,
        .print_firewall         = nft_arp_print_firewall,
        .save_firewall          = nft_arp_save_firewall,
+       .save_counters          = nft_arp_save_counters,
        .post_parse             = NULL,
        .rule_find              = nft_arp_rule_find,
        .parse_target           = nft_arp_parse_target,

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index d05e80eb105c7bc17c25c592e296fadfa6f24c04..33bc581ade15c955102baa344013613caf025b20 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -315,8 +315,7 @@ static void nft_ipv4_save_firewall(const void *data, unsigned int format)
 
        save_firewall_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
                              cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
-                             cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
-                             format);
+                             cs->fw.ip.outiface, cs->fw.ip.outiface_mask);
 
        if (cs->fw.ip.flags & IPT_F_FRAG) {
                if (cs->fw.ip.invflags & IPT_INV_FRAG)
@@ -409,6 +408,13 @@ static bool nft_ipv4_rule_find(struct nft_family_ops *ops,
        return nft_ipv46_rule_find(ops, r, cs);
 }
 
+static void nft_ipv4_save_counters(const void *data)
+{
+       const struct iptables_command_state *cs = data;
+
+       save_counters(cs->counters.pcnt, cs->counters.bcnt);
+}
+
 struct nft_family_ops nft_family_ops_ipv4 = {
        .add                    = nft_ipv4_add,
        .is_same                = nft_ipv4_is_same,
@@ -417,6 +423,7 @@ struct nft_family_ops nft_family_ops_ipv4 = {
        .parse_immediate        = nft_ipv4_parse_immediate,
        .print_firewall         = nft_ipv4_print_firewall,
        .save_firewall          = nft_ipv4_save_firewall,
+       .save_counters          = nft_ipv4_save_counters,
        .proto_parse            = nft_ipv4_proto_parse,
        .post_parse             = nft_ipv4_post_parse,
        .parse_target           = nft_ipv4_parse_target,

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index f08598ae4b7acb95920c7776801d0247630f6765..00f1bf8e794bc2be3ba675994632a45875bdc3fb 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -222,8 +222,8 @@ static void nft_ipv6_save_firewall(const void *data, unsigned int format)
 
        save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
                              cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
-                             cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
-                             format);
+                             cs->fw6.ipv6.outiface,
+                             cs->fw6.ipv6.outiface_mask);
 
        save_ipv6_addr('s', &cs->fw6.ipv6.src,
                       cs->fw6.ipv6.invflags & IPT_INV_SRCIP);
@@ -330,6 +330,13 @@ static bool nft_ipv6_rule_find(struct nft_family_ops *ops,
        return nft_ipv46_rule_find(ops, r, cs);
 }
 
+static void nft_ipv6_save_counters(const void *data)
+{
+       const struct iptables_command_state *cs = data;
+
+       save_counters(cs->counters.pcnt, cs->counters.bcnt);
+}
+
 struct nft_family_ops nft_family_ops_ipv6 = {
        .add                    = nft_ipv6_add,
        .is_same                = nft_ipv6_is_same,
@@ -338,6 +345,7 @@ struct nft_family_ops nft_family_ops_ipv6 = {
        .parse_immediate        = nft_ipv6_parse_immediate,
        .print_firewall         = nft_ipv6_print_firewall,
        .save_firewall          = nft_ipv6_save_firewall,
+       .save_counters          = nft_ipv6_save_counters,
        .proto_parse            = nft_ipv6_proto_parse,
        .post_parse             = nft_ipv6_post_parse,
        .parse_target           = nft_ipv6_parse_target,

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 3f018fb275f417a867aeac834aa317cae6498e4c..deb27834063597d64f82c46433b4180c93812c5f 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -589,15 +589,8 @@ void save_firewall_details(const struct iptables_command_state *cs,
                           const char *iniface,
                           unsigned const char *iniface_mask,
                           const char *outiface,
-                          unsigned const char *outiface_mask,
-                          unsigned int format)
+                          unsigned const char *outiface_mask)
 {
-       if (!(format & FMT_NOCOUNTS)) {
-               printf("-c ");
-               xtables_print_num(cs->counters.pcnt, format);
-               xtables_print_num(cs->counters.bcnt, format);
-       }
-
        if (iniface != NULL) {
                print_iface('i', iniface, iniface_mask,
                            invflags & IPT_INV_VIA_IN);
@@ -620,6 +613,12 @@ void save_firewall_details(const struct iptables_command_state *cs,
        }
 }
 
+void save_counters(uint64_t pcnt, uint64_t bcnt)
+{
+       printf("[%llu:%llu] ", (unsigned long long)pcnt,
+                              (unsigned long long)bcnt);
+}
+
 void save_matches_and_target(struct xtables_rule_match *m,
                             struct xtables_target *target,
                             const char *jumpto, uint8_t flags, const void *fw)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 145f19d1856e82bb882b4a6678ac8ee941b19726..1c06b5f455e60f8e738ae55f0908b958a14ca13a 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -50,6 +50,7 @@ struct nft_family_ops {
        void (*print_firewall)(struct nft_rule *r, unsigned int num,
                               unsigned int format);
        void (*save_firewall)(const void *data, unsigned int format);
+       void (*save_counters)(const void *data);
        void (*proto_parse)(struct iptables_command_state *cs,
                            struct xtables_args *args);
        void (*post_parse)(int command, struct iptables_command_state *cs,
@@ -115,8 +116,8 @@ void save_firewall_details(const struct iptables_command_state *cs,
                           const char *iniface,
                           unsigned const char *iniface_mask,
                           const char *outiface,
-                          unsigned const char *outiface_mask,
-                          unsigned int format);
+                          unsigned const char *outiface_mask);
+void save_counters(uint64_t pcnt, uint64_t bcnt);
 void save_matches_and_target(struct xtables_rule_match *m,
                             struct xtables_target *target,
                             const char *jumpto,

diff --git a/iptables/nft.c b/iptables/nft.c
index 2a5f0b99e5f3ff28289daf377b8aba5d525dc978..e3b07e03dd537d94265e1fc95b974d401914e32c 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -972,8 +972,8 @@ int add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes)
        if (expr == NULL)
                return -ENOMEM;
 
-       nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, packets);
-       nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, bytes);
+       nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_PACKETS, packets);
+       nft_rule_expr_set_u64(expr, NFT_EXPR_CTR_BYTES, bytes);
 
        nft_rule_add_expr(r, expr);
 
@@ -1048,6 +1048,11 @@ nft_rule_print_save(const void *data,
        int family = nft_rule_attr_get_u32(r, NFT_RULE_ATTR_FAMILY);
        struct nft_family_ops *ops;
 
+       ops = nft_family_ops_lookup(family);
+
+       if (!(format & FMT_NOCOUNTS) && ops->save_counters)
+               ops->save_counters(data);
+
        /* print chain name */
        switch(type) {
        case NFT_RULE_APPEND:
@@ -1058,8 +1063,6 @@ nft_rule_print_save(const void *data,
                break;
        }
 
-       ops = nft_family_ops_lookup(family);
-
        if (ops->save_firewall)
                ops->save_firewall(data, format);