src: add --terse to suppress output of set elements.

Listing an entire ruleset or a table with `nft list` prints the elements
of all set definitions within the ruleset or table.  Seeing the full set
contents is not often necessary especially when requesting to see
someone's ruleset for help and support purposes.  Add a new option '-t,
--terse' options to suppress the output of set contents.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index ea9626afa101932a433ce65691036b1f84ca1673..8ce1196fd47e69ac85312a40611d4f4aec849ff9 100644 (file)
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -80,16 +80,17 @@ The flags setting controls the output format.
 
 ----
 enum {
-        NFT_CTX_OUTPUT_REVERSEDNS  = (1 << 0),
-        NFT_CTX_OUTPUT_SERVICE     = (1 << 1),
-        NFT_CTX_OUTPUT_STATELESS   = (1 << 2),
-        NFT_CTX_OUTPUT_HANDLE      = (1 << 3),
-        NFT_CTX_OUTPUT_JSON        = (1 << 4),
-        NFT_CTX_OUTPUT_ECHO        = (1 << 5),
-        NFT_CTX_OUTPUT_GUID        = (1 << 6),
-        NFT_CTX_OUTPUT_NUMERIC_PROTO = (1 << 7),
-        NFT_CTX_OUTPUT_NUMERIC_PRIO = (1 << 8),
+        NFT_CTX_OUTPUT_REVERSEDNS     = (1 << 0),
+        NFT_CTX_OUTPUT_SERVICE        = (1 << 1),
+        NFT_CTX_OUTPUT_STATELESS      = (1 << 2),
+        NFT_CTX_OUTPUT_HANDLE         = (1 << 3),
+        NFT_CTX_OUTPUT_JSON           = (1 << 4),
+        NFT_CTX_OUTPUT_ECHO           = (1 << 5),
+        NFT_CTX_OUTPUT_GUID           = (1 << 6),
+        NFT_CTX_OUTPUT_NUMERIC_PROTO  = (1 << 7),
+        NFT_CTX_OUTPUT_NUMERIC_PRIO   = (1 << 8),
         NFT_CTX_OUTPUT_NUMERIC_SYMBOL = (1 << 9),
+        NFT_CTX_OUTPUT_TERSE          = (1 << 11),
 };
 ----
 
@@ -123,6 +124,8 @@ NFT_CTX_OUTPUT_NUMERIC_SYMBOL::
        Display expression datatype as numeric value.
 NFT_CTX_OUTPUT_NUMERIC_ALL::
        Display all numerically.
+NFT_CTX_OUTPUT_TERSE::
+       If terse output has been requested, then the contents of sets are not printed.
 
 The *nft_ctx_output_get_flags*() function returns the output flags setting's value in 'ctx'.
 

diff --git a/doc/nft.txt b/doc/nft.txt
index 616640a84c94aff2336ce76532b5633e47823ea5..2c79009948a5152760bc4db8dd25ec6f31cd6b08 100644 (file)
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -97,6 +97,10 @@ For a full summary of options, run *nft --help*.
 *--numeric-time*::
        Show time, day and hour values in numeric format.
 
+*-t*::
+*--terse*::
+       Omit contents of sets from output.
+
 INPUT FILE FORMATS
 ------------------
 LEXICAL CONVENTIONS

diff --git a/include/nftables.h b/include/nftables.h
index 1ecf5ef5269c3f1fa4f7c47a08324465cc4524ea..21553c6bb3a52256a8b6d5d5dd2cd537f275ce8b 100644 (file)
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -90,6 +90,11 @@ static inline bool nft_output_numeric_symbol(const struct output_ctx *octx)
        return octx->flags & NFT_CTX_OUTPUT_NUMERIC_SYMBOL;
 }
 
+static inline bool nft_output_terse(const struct output_ctx *octx)
+{
+       return octx->flags & NFT_CTX_OUTPUT_TERSE;
+}
+
 struct nft_cache {
        uint32_t                genid;
        struct list_head        list;

diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 7a7a46f3358a7475629d67d4848f982ca488d15b..765b20dd71ee19d44543989eb0f3b222b3241afd 100644 (file)
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -56,6 +56,7 @@ enum {
        NFT_CTX_OUTPUT_NUMERIC_ALL      = (NFT_CTX_OUTPUT_NUMERIC_PROTO |
                                           NFT_CTX_OUTPUT_NUMERIC_PRIO |
                                           NFT_CTX_OUTPUT_NUMERIC_SYMBOL),
+       NFT_CTX_OUTPUT_TERSE            = (1 << 11),
 };
 
 unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);

diff --git a/src/main.c b/src/main.c
index 238c5e0bf9ef87a8c3ffee1639985c13f678b572..ebd6d7c322d70ec4911026d76a6b5b22e3887334 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -43,9 +43,10 @@ enum opt_vals {
        OPT_NUMERIC_PRIO        = 'y',
        OPT_NUMERIC_PROTO       = 'p',
        OPT_NUMERIC_TIME        = 'T',
+       OPT_TERSE               = 't',
        OPT_INVALID             = '?',
 };
-#define OPTSTRING      "+hvcf:iI:jvnsNaeSupypT"
+#define OPTSTRING      "+hvcf:iI:jvnsNaeSupypTt"
 
 static const struct option options[] = {
        {
@@ -119,6 +120,10 @@ static const struct option options[] = {
                .name           = "numeric-time",
                .val            = OPT_NUMERIC_TIME,
        },
+       {
+               .name           = "terse",
+               .val            = OPT_TERSE,
+       },
        {
                .name           = NULL
        }
@@ -140,6 +145,7 @@ static void show_help(const char *name)
 "  -j, --json                  Format output in JSON\n"
 "  -n, --numeric                       Print fully numerical output.\n"
 "  -s, --stateless             Omit stateful information of ruleset.\n"
+"  -t, --terse                 Omit contents of sets.\n"
 "  -u, --guid                  Print UID/GID as defined in /etc/passwd and /etc/group.\n"
 "  -N                          Translate IP addresses to names.\n"
 "  -S, --service                       Translate ports to service names as described in /etc/services.\n"
@@ -301,6 +307,9 @@ int main(int argc, char * const *argv)
                case OPT_NUMERIC_TIME:
                        output_flags |= NFT_CTX_OUTPUT_NUMERIC_TIME;
                        break;
+               case OPT_TERSE:
+                       output_flags |= NFT_CTX_OUTPUT_TERSE;
+                       break;
                case OPT_INVALID:
                        exit(EXIT_FAILURE);
                }

diff --git a/src/rule.c b/src/rule.c
index 55894cbdb766c72a1f807e9fd4cb57aab2f4fbbb..64756bcee6b8eefeace2c33db1567ac436ab445d 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -538,7 +538,8 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts,
 {
        set_print_declaration(set, opts, octx);
 
-       if (set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) {
+       if ((set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) ||
+           nft_output_terse(octx)) {
                nft_print(octx, "%s}%s", opts->tab, opts->nl);
                return;
        }