Default not to print the service name as we discussed during the NFWS.
# nft list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1.1.1.1
}
}
# nft -l list ruleset
table ip x {
chain y {
tcp dport ssh
ip saddr 1.1.1.1
}
}
# nft -ll list ruleset
table ip x {
chain y {
tcp dport 22
ip saddr 1dot1dot1dot1.cloudflare-dns.com
}
}
Then, -ll displays FQDN. just like the (now deprecated) --ip2name (-N)
option.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
bool nft_ctx_output_get_stateless(struct nft_ctx* '\*ctx'*);
void nft_ctx_output_set_stateless(struct nft_ctx* '\*ctx'*, bool* 'val'*);
-bool nft_ctx_output_get_ip2name(struct nft_ctx* '\*ctx'*);
-void nft_ctx_output_set_ip2name(struct nft_ctx* '\*ctx'*, bool* 'val'*);
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx* '\*ctx'*);
+void nft_ctx_output_set_literal(struct nft_ctx* '\*ctx'*, bool* 'val'*);
unsigned int nft_ctx_output_get_debug(struct nft_ctx* '\*ctx'*);
void nft_ctx_output_set_debug(struct nft_ctx* '\*ctx'*, unsigned int* 'mask'*);
The *nft_ctx_output_set_stateless*() function sets the stateless output setting in 'ctx' to the value of 'val'.
-=== nft_ctx_output_get_ip2name() and nft_ctx_output_set_ip2name()
-The ip2name setting controls whether reverse DNS lookups are performed for IP addresses when printing them.
+=== nft_ctx_output_get_literal() and nft_ctx_output_set_literal()
+The literal setting controls whether reverse DNS lookups are performed for IP addresses when printing them.
Note that this may add significant delay to *list* commands depending on DNS resolver speed.
-The default setting is *false*.
+The default setting is *NFT_LITERAL_NONE*.
-The *nft_ctx_output_get_ip2name*() function returns the ip2name output setting's value in 'ctx'.
+The *nft_ctx_output_get_literal*() function returns the literal output setting's value in 'ctx'.
-The *nft_ctx_output_set_ip2name*() function sets the ip2name output setting in 'ctx' to the value of 'val'.
+The *nft_ctx_output_set_literal*() function sets the literal output setting in 'ctx' to the value of 'val'.
=== nft_ctx_output_get_debug() and nft_ctx_output_set_debug()
Libnftables supports separate debugging of different parts of its internals.
struct output_ctx {
unsigned int numeric;
unsigned int stateless;
- unsigned int ip2name;
+ unsigned int literal;
unsigned int handle;
unsigned int echo;
unsigned int json;
NFT_NUMERIC_ALL,
};
+enum nft_literal_level {
+ NFT_LITERAL_NONE,
+ NFT_LITERAL_PORT,
+ NFT_LITERAL_ADDR,
+};
+
/**
* Possible flags to pass to nft_ctx_new()
*/
void nft_ctx_output_set_numeric(struct nft_ctx *ctx, enum nft_numeric_level level);
bool nft_ctx_output_get_stateless(struct nft_ctx *ctx);
void nft_ctx_output_set_stateless(struct nft_ctx *ctx, bool val);
-bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx);
-void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val);
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx);
+void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val);
unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx);
void nft_ctx_output_set_debug(struct nft_ctx *ctx, unsigned int mask);
bool nft_ctx_output_get_handle(struct nft_ctx *ctx);
sin.sin_addr.s_addr = mpz_get_be32(expr->value);
err = getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
sizeof(buf), NULL, 0,
- octx->ip2name ? 0 : NI_NUMERICHOST);
+ octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
if (err != 0) {
getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
sizeof(buf), NULL, 0, NI_NUMERICHOST);
err = getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
sizeof(buf), NULL, 0,
- octx->ip2name ? 0 : NI_NUMERICHOST);
+ octx->literal >= NFT_LITERAL_ADDR ? 0 : NI_NUMERICHOST);
if (err != 0) {
getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
sizeof(buf), NULL, 0, NI_NUMERICHOST);
static void inet_service_type_print(const struct expr *expr,
struct output_ctx *octx)
{
- if (octx->numeric >= NFT_NUMERIC_PORT) {
- integer_type_print(expr, octx);
+ if (octx->literal == NFT_LITERAL_PORT) {
+ symbolic_constant_print(&inet_service_tbl, expr, false, octx);
return;
}
- symbolic_constant_print(&inet_service_tbl, expr, false, octx);
+ integer_type_print(expr, octx);
}
static struct error_record *inet_service_type_parse(const struct expr *sym,
ctx->output.stateless = val;
}
-bool nft_ctx_output_get_ip2name(struct nft_ctx *ctx)
+enum nft_literal_level nft_ctx_output_get_literal(struct nft_ctx *ctx)
{
- return ctx->output.ip2name;
+ return ctx->output.literal;
}
-void nft_ctx_output_set_ip2name(struct nft_ctx *ctx, bool val)
+void nft_ctx_output_set_literal(struct nft_ctx *ctx, enum nft_literal_level val)
{
- ctx->output.ip2name = val;
+ ctx->output.literal = val;
}
unsigned int nft_ctx_output_get_debug(struct nft_ctx *ctx)
OPT_NUMERIC = 'n',
OPT_STATELESS = 's',
OPT_IP2NAME = 'N',
+ OPT_LITERAL = 'l',
OPT_DEBUG = 'd',
OPT_HANDLE_OUTPUT = 'a',
OPT_ECHO = 'e',
OPT_INVALID = '?',
};
-#define OPTSTRING "hvcf:iI:jvnsNae"
+#define OPTSTRING "hvcf:iI:jvnsNael"
static const struct option options[] = {
{
.name = "reversedns",
.val = OPT_IP2NAME,
},
+ {
+ .name = "literal",
+ .val = OPT_LITERAL,
+ },
{
.name = "includepath",
.val = OPT_INCLUDEPATH,
{
char *buf = NULL, *filename = NULL;
enum nft_numeric_level numeric;
+ enum nft_literal_level literal;
bool interactive = false;
unsigned int debug_mask;
unsigned int len;
nft_ctx_output_set_stateless(nft, true);
break;
case OPT_IP2NAME:
- nft_ctx_output_set_ip2name(nft, true);
+ literal = nft_ctx_output_get_literal(nft);
+ if (literal + 2 > NFT_LITERAL_ADDR) {
+ fprintf(stderr, "Cannot combine `-N' with `-l'\n");
+ exit(EXIT_FAILURE);
+ }
+ nft_ctx_output_set_literal(nft, literal + 2);
+ break;
+ case OPT_LITERAL:
+ literal = nft_ctx_output_get_literal(nft);
+ if (literal + 1 > NFT_LITERAL_ADDR) {
+ fprintf(stderr, "Too many `-l' options or "
+ "perhaps you combined `-l' "
+ "with `-N'?\n");
+ exit(EXIT_FAILURE);
+ }
+ nft_ctx_output_set_literal(nft, literal + 1);
break;
case OPT_DEBUG:
debug_mask = nft_ctx_output_get_debug(nft);
RULESET="table inet filter {
chain ssh {
type filter hook input priority 0; policy accept;
- tcp dport ssh accept;
+ tcp dport 22 accept;
}
}
table inet filter {
chain ssh {
type filter hook input priority 0; policy accept;
- tcp dport ssh accept
+ tcp dport 22 accept
}
chain input {
table inet forward {
set concat-set-variable {
type ipv4_addr . inet_service
- elements = { 10.10.10.10 . smtp,
- 10.10.10.10 . imap2 }
+ elements = { 10.10.10.10 . 25,
+ 10.10.10.10 . 143 }
}
}
table ip test {
chain test {
- tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment"
+ tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
}
}
table ip test {
chain test {
- tcp dport ssh counter packets 0 bytes 0 accept comment "test_comment"
+ tcp dport 22 counter packets 0 bytes 0 accept comment "test_comment"
}
}
table ip test {
chain test {
- tcp dport ssh counter packets 0 bytes 0 accept
+ tcp dport 22 counter packets 0 bytes 0 accept
}
}
table inet t {
set s {
type inet_service
- elements = { ssh comment "test" }
+ elements = { 22 comment "test" }
}
}
}
chain c {
- tcp dport http meter f size 1024 { ip saddr limit rate 10/second}
+ tcp dport 80 meter f size 1024 { ip saddr limit rate 10/second}
}
}
chain c {
type filter hook output priority 0; policy accept;
ip daddr { 192.168.0.1, 192.168.0.2, 192.168.0.3 }
- tcp dport { ssh, telnet } counter packets 0 bytes 0
+ tcp dport { 22, 23 } counter packets 0 bytes 0
}
}
chain input {
type filter hook input priority 0; policy accept;
- limit name tcp dport map { http : "http-traffic", https : "http-traffic" }
+ limit name tcp dport map { 80 : "http-traffic", 443 : "http-traffic" }
}
}
projects / thirdparty / nftables.git / commitdiff
