if (batch_rule_add(h, type, r) < 0)
nftnl_rule_free(r);
+ if (verbose)
+ h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+
if (!nft_rule_list_get(h))
return 0;
return 1;
}
-int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table)
+int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
+ bool verbose)
{
int ret = 0;
struct nftnl_chain_list *list;
if (chain != NULL && strcmp(chain, chain_name) != 0)
goto next;
+ if (verbose)
+ fprintf(stdout, "Flushing chain `%s'\n", chain_name);
+
__nft_rule_flush(h, table_name, chain_name);
if (chain != NULL)
#define NLM_F_NONREC 0x100 /* Do not delete recursively */
#endif
-int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table)
+int nft_chain_user_del(struct nft_handle *h, const char *chain,
+ const char *table, bool verbose)
{
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
if (chain != NULL && strcmp(chain, chain_name) != 0)
goto next;
+ if (verbose)
+ fprintf(stdout, "Deleting chain `%s'\n", chain);
+
ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c);
if (ret < 0)
const char *table, void *data, bool verbose)
{
struct nftnl_rule_list *list;
- int ret;
+ struct nftnl_rule *r;
nft_fn = nft_rule_check;
if (list == NULL)
return 0;
- ret = nft_rule_find(h, list, chain, table, data, -1) ? 1 : 0;
- if (ret == 0)
+ r = nft_rule_find(h, list, chain, table, data, -1);
+ if (r == NULL) {
errno = ENOENT;
+ return 0;
+ }
+ if (verbose)
+ h->ops->print_rule(r, 0, FMT_PRINT_RULE);
- return ret;
+ return 1;
}
int nft_rule_delete(struct nft_handle *h, const char *chain,
ret =__nft_rule_del(h, list, r);
if (ret < 0)
errno = ENOMEM;
+ if (verbose)
+ h->ops->print_rule(r, 0, FMT_PRINT_RULE);
} else
errno = ENOENT;
return NULL;
}
+ if (verbose)
+ h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+
return r;
}
return h->config_done;
}
-int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
- const char *table)
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
+ const char *table, bool verbose)
{
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
if (chain != NULL && strcmp(chain, chain_name) != 0)
goto next;
+ if (verbose)
+ fprintf(stdout, "Zeroing chain `%s'\n", chain_name);
+
nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);
nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);
struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain);
int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list, const char *table);
int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table);
-int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table);
+int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table, bool verbose);
int nft_chain_user_flush(struct nft_handle *h, struct nftnl_chain_list *list,
const char *chain, const char *table);
int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
-int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table);
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose);
/*
* Operations with rule-set.
int nft_rule_list(struct nft_handle *h, const char *chain, const char *table, int rulenum, unsigned int format);
int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters);
int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format);
-int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table);
+int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table, bool verbose);
int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
/*
--- /dev/null
+#!/bin/bash
+
+set -e
+#set -x
+
+# ensure verbose output is identical between legacy and nft tools
+
+RULE1='-i eth2 -o eth3 -s feed:babe::1 -d feed:babe::2 -j ACCEPT'
+VOUT1='ACCEPT all opt in eth2 out eth3 feed:babe::1 -> feed:babe::2'
+RULE2='-i eth2 -o eth3 -s feed:babe::4 -d feed:babe::5 -j ACCEPT'
+VOUT2='ACCEPT all opt in eth2 out eth3 feed:babe::4 -> feed:babe::5'
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -A FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -I FORWARD 2 $RULE2)
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -C FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -C FORWARD $RULE2)
+
+EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 0 0 ACCEPT all eth2 eth3 feed:babe::1 feed:babe::2
+ 0 0 ACCEPT all eth2 eth3 feed:babe::4 feed:babe::5
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination'
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -n -L)
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI ip6tables -v -D FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI ip6tables -v -D FORWARD $RULE2)
+
+EXPECT="Flushing chain \`INPUT'
+Flushing chain \`FORWARD'
+Flushing chain \`OUTPUT'"
+
+diff -u <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -F)
+
+EXPECT="Zeroing chain \`INPUT'
+Zeroing chain \`FORWARD'
+Zeroing chain \`OUTPUT'"
+
+diff -u <(echo -e "$EXPECT") <($XT_MULTI ip6tables -v -Z)
+
+diff -u <(echo "Flushing chain \`OUTPUT'") <($XT_MULTI ip6tables -v -F OUTPUT)
+diff -u <(echo "Zeroing chain \`OUTPUT'") <($XT_MULTI ip6tables -v -Z OUTPUT)
+
+$XT_MULTI ip6tables -N foo
+diff -u <(echo "Deleting chain \`foo'") <($XT_MULTI ip6tables -v -X foo)
--- /dev/null
+#!/bin/bash
+
+set -e
+#set -x
+
+# ensure verbose output is identical between legacy and nft tools
+
+RULE1='-i eth2 -o eth3 -s 10.0.0.1 -d 10.0.0.2 -j ACCEPT'
+VOUT1='ACCEPT all opt -- in eth2 out eth3 10.0.0.1 -> 10.0.0.2'
+RULE2='-i eth2 -o eth3 -s 10.0.0.4 -d 10.0.0.5 -j ACCEPT'
+VOUT2='ACCEPT all opt -- in eth2 out eth3 10.0.0.4 -> 10.0.0.5'
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -A FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -I FORWARD 2 $RULE2)
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -C FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -C FORWARD $RULE2)
+
+EXPECT='Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination
+ 0 0 ACCEPT all -- eth2 eth3 10.0.0.1 10.0.0.2
+ 0 0 ACCEPT all -- eth2 eth3 10.0.0.4 10.0.0.5
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target prot opt in out source destination'
+
+diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -v -n -L)
+
+diff -u -Z <(echo -e "$VOUT1") <($XT_MULTI iptables -v -D FORWARD $RULE1)
+diff -u -Z <(echo -e "$VOUT2") <($XT_MULTI iptables -v -D FORWARD $RULE2)
+
+EXPECT="Flushing chain \`INPUT'
+Flushing chain \`FORWARD'
+Flushing chain \`OUTPUT'"
+
+diff -u <(echo -e "$EXPECT") <($XT_MULTI iptables -v -F)
+
+EXPECT="Zeroing chain \`INPUT'
+Zeroing chain \`FORWARD'
+Zeroing chain \`OUTPUT'"
+
+diff -u <(echo -e "$EXPECT") <($XT_MULTI iptables -v -Z)
+
+diff -u <(echo "Flushing chain \`OUTPUT'") <($XT_MULTI iptables -v -F OUTPUT)
+diff -u <(echo "Zeroing chain \`OUTPUT'") <($XT_MULTI iptables -v -Z OUTPUT)
+
+$XT_MULTI iptables -N foo
+diff -u <(echo "Deleting chain \`foo'") <($XT_MULTI iptables -v -X foo)
options&OPT_LINENUMBERS);
break;
case CMD_FLUSH:
- ret = nft_rule_flush(h, chain, *table);
+ ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE);
break;
case CMD_ZERO:
- ret = nft_chain_zero_counters(h, chain, *table);
+ ret = nft_chain_zero_counters(h, chain, *table,
+ options & OPT_VERBOSE);
break;
case CMD_LIST|CMD_ZERO:
ret = list_entries(h, chain, *table, rulenum,
/*options&OPT_EXPANDED*/0,
options&OPT_LINENUMBERS);
if (ret)
- ret = nft_chain_zero_counters(h, chain, *table);
+ ret = nft_chain_zero_counters(h, chain, *table,
+ options & OPT_VERBOSE);
break;
case CMD_NEW_CHAIN:
ret = nft_chain_user_add(h, chain, *table);
break;
case CMD_DELETE_CHAIN:
- ret = nft_chain_user_del(h, chain, *table);
+ ret = nft_chain_user_del(h, chain, *table,
+ options & OPT_VERBOSE);
break;
case CMD_RENAME_CHAIN:
ret = nft_chain_user_rename(h, chain, *table, newname);
chain = argv[optind];
optind++;
}
- ret = nft_chain_user_del(h, chain, *table);
+ ret = nft_chain_user_del(h, chain, *table, 0);
break;
}
}
if (flags & OPT_ZERO) {
selected_chain = zerochain;
- ret = nft_chain_zero_counters(h, chain, *table);
+ ret = nft_chain_zero_counters(h, chain, *table,
+ flags & OPT_VERBOSE);
} else if (command == 'F') {
- ret = nft_rule_flush(h, chain, *table);
+ ret = nft_rule_flush(h, chain, *table, flags & OPT_VERBOSE);
} else if (command == 'A') {
ret = append_entry(h, chain, *table, &cs, 0,
flags&OPT_VERBOSE, true);
cs.options&OPT_VERBOSE, h, false);
break;
case CMD_FLUSH:
- ret = nft_rule_flush(h, p.chain, p.table);
+ ret = nft_rule_flush(h, p.chain, p.table,
+ cs.options & OPT_VERBOSE);
break;
case CMD_ZERO:
- ret = nft_chain_zero_counters(h, p.chain, p.table);
+ ret = nft_chain_zero_counters(h, p.chain, p.table,
+ cs.options & OPT_VERBOSE);
break;
case CMD_ZERO_NUM:
ret = nft_rule_zero_counters(h, p.chain, p.table,
cs.options & OPT_EXPANDED,
cs.options & OPT_LINENUMBERS);
if (ret && (p.command & CMD_ZERO)) {
- ret = nft_chain_zero_counters(h, p.chain,
- p.table);
+ ret = nft_chain_zero_counters(h, p.chain, p.table,
+ cs.options & OPT_VERBOSE);
}
if (ret && (p.command & CMD_ZERO_NUM)) {
ret = nft_rule_zero_counters(h, p.chain, p.table,
ret = list_rules(h, p.chain, p.table, p.rulenum,
cs.options & OPT_VERBOSE);
if (ret && (p.command & CMD_ZERO)) {
- ret = nft_chain_zero_counters(h, p.chain,
- p.table);
+ ret = nft_chain_zero_counters(h, p.chain, p.table,
+ cs.options & OPT_VERBOSE);
}
if (ret && (p.command & CMD_ZERO_NUM)) {
ret = nft_rule_zero_counters(h, p.chain, p.table,
ret = nft_chain_user_add(h, p.chain, p.table);
break;
case CMD_DELETE_CHAIN:
- ret = nft_chain_user_del(h, p.chain, p.table);
+ ret = nft_chain_user_del(h, p.chain, p.table,
+ cs.options & OPT_VERBOSE);
break;
case CMD_RENAME_CHAIN:
ret = nft_chain_user_rename(h, p.chain, p.table, p.newname);
projects / thirdparty / iptables.git / commitdiff
