nft: don't resolve hostnames by default

This patch changes the default behaviour of nft to not translate IP
addresses to hostnames when printing rules if no options are passed.

The options regarding translations after this patch are:

 <no -n/-N>             show IP addresses numerically (default behaviour)
 -n                     show IP addresses numerically
 -nn                    show Internet services and uid/gid numerically
 -nnn                   show protocols numerically
 -N (--reversedns)      translate IP addresses to names

The idea is to avoid breaking existing scripts that most likely rely on
'-n' to save the ruleset, so we reduce the impact of this patch and
provide a default behaviour that doesn't generate network traffic when
listing / saving the ruleset.

Joint work with Pablo.

Suggested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.xml b/doc/nft.xml
index cec5ef3b94d74669705abaa9577d3838c35eb7b6..e45a5936c7f94a66583c9e3282bbb7911ca34043 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -101,9 +101,18 @@ vi:ts=4 sw=4
                                        <para>
                                                Numeric output: Addresses and other information
                                                that might need network traffic to resolve to symbolic names
-                                               are shown numerically. When used twice, internet services
-                                               and UIDs/GIDs are also shown numerically. When used thrice,
-                                               protocol numbers are also shown numerically.
+                                               are shown numerically (default behaviour). When used twice,
+                                               internet services are translated. When used twice, internet
+                                               services and UIDs/GIDs are also shown numerically. When used
+                                               three times, protocol numbers are also shown numerically.
+                                       </para>
+                               </listitem>
+                       </varlistentry>
+                       <varlistentry>
+                               <term><option>-N</option></term>
+                               <listitem>
+                                       <para>
+                                               Translate IP addresses to DNS names.
                                        </para>
                                </listitem>
                        </varlistentry>

diff --git a/include/nftables.h b/include/nftables.h
index c3d3dbfb0f673ecc582b8baa0b21c06d85a7bc3d..4c33ec63264403620826b4e48bd90f186fdb01ef 100644 (file)
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -26,6 +26,7 @@ enum debug_level {
 
 extern unsigned int max_errors;
 extern unsigned int numeric_output;
+extern unsigned int ip2name_output;
 extern unsigned int handle_output;
 extern unsigned int debug_level;
 extern const char *include_paths[INCLUDE_PATHS_MAX];

diff --git a/src/datatype.c b/src/datatype.c
index 8ad211c1d0d5c543e5236427eecdc46baae3c168..5f976aa3e96a08b3f89394d99748fb9e13cd12fa 100644 (file)
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -379,7 +379,7 @@ static void ipaddr_type_print(const struct expr *expr)
        sin.sin_addr.s_addr = mpz_get_be32(expr->value);
        err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
                          sizeof(buf), NULL, 0,
-                         numeric_output ? NI_NUMERICHOST : 0);
+                         ip2name_output ? 0 : NI_NUMERICHOST);
        if (err != 0) {
                getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
                            sizeof(buf), NULL, 0, NI_NUMERICHOST);
@@ -437,7 +437,7 @@ static void ip6addr_type_print(const struct expr *expr)
 
        err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
                          sizeof(buf), NULL, 0,
-                         numeric_output ? NI_NUMERICHOST : 0);
+                         ip2name_output ? 0 : NI_NUMERICHOST);
        if (err != 0) {
                getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
                            sizeof(buf), NULL, 0, NI_NUMERICHOST);

diff --git a/src/main.c b/src/main.c
index 3607bd5844af8aa61d11d6f7b703e40143da9535..16259143116cd5922141fdd46dc47068acb2eaa3 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -28,6 +28,7 @@
 
 unsigned int max_errors = 10;
 unsigned int numeric_output;
+unsigned int ip2name_output;
 unsigned int handle_output;
 #ifdef DEBUG
 unsigned int debug_level;
@@ -43,12 +44,13 @@ enum opt_vals {
        OPT_INTERACTIVE         = 'i',
        OPT_INCLUDEPATH         = 'I',
        OPT_NUMERIC             = 'n',
+       OPT_IP2NAME             = 'N',
        OPT_DEBUG               = 'd',
        OPT_HANDLE_OUTPUT       = 'a',
        OPT_INVALID             = '?',
 };
 
-#define OPTSTRING      "hvf:iI:vna"
+#define OPTSTRING      "hvf:iI:vnNa"
 
 static const struct option options[] = {
        {
@@ -72,6 +74,10 @@ static const struct option options[] = {
                .name           = "numeric",
                .val            = OPT_NUMERIC,
        },
+       {
+               .name           = "reversedns",
+               .val            = OPT_IP2NAME,
+       },
        {
                .name           = "includepath",
                .val            = OPT_INCLUDEPATH,
@@ -105,10 +111,11 @@ static void show_help(const char *name)
 "  -f/--file <filename>                Read input from <filename>\n"
 "  -i/--interactive            Read input from interactive CLI\n"
 "\n"
-"  -n/--numeric                        When specified once, show network addresses numerically.\n"
-"                              When specified twice, also show Internet services,\n"
+"  -n/--numeric                        When specified once, show network addresses numerically (default behaviour).\n"
+"                              When specified twice, show Internet services,\n"
 "                              user IDs and group IDs numerically.\n"
 "                              When specified thrice, also show protocols numerically.\n"
+"  -N                          Translate IP addresses to names.\n"
 "  -a/--handle                 Output rule handle.\n"
 "  -I/--includepath <directory>        Add <directory> to the paths searched for include files.\n"
 #ifdef DEBUG
@@ -279,6 +286,9 @@ int main(int argc, char * const *argv)
                case OPT_NUMERIC:
                        numeric_output++;
                        break;
+               case OPT_IP2NAME:
+                       ip2name_output++;
+                       break;
 #ifdef DEBUG
                case OPT_DEBUG:
                        for (;;) {