src: list set handle and delete set via set handle

Print 'handle' attribute in sets when listing via '-a' option and
delete sets via their unique set handles listed with '-a' option.
For e.g.

nft delete set [<family>] <table-name> [handle <handle>]

Signed-off-by: Harsha Sharma <harshasharmaiitr@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 4854210de4e153791b157f00d28d534935eb7e69..f311ab9faec7a5211eddfd902afcf9a9391bb87b 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -319,6 +319,7 @@ enum nft_set_desc_attributes {
  * @NFTA_SET_GC_INTERVAL: garbage collection interval (NLA_U32)
  * @NFTA_SET_USERDATA: user data (NLA_BINARY)
  * @NFTA_SET_OBJ_TYPE: stateful object type (NLA_U32: NFT_OBJECT_*)
+ * @NFTA_SET_HANDLE: numeric handle of the set (NLA_U64)
  */
 enum nft_set_attributes {
        NFTA_SET_UNSPEC,
@@ -337,6 +338,7 @@ enum nft_set_attributes {
        NFTA_SET_USERDATA,
        NFTA_SET_PAD,
        NFTA_SET_OBJ_TYPE,
+       NFTA_SET_HANDLE,
        __NFTA_SET_MAX
 };
 #define NFTA_SET_MAX           (__NFTA_SET_MAX - 1)

diff --git a/src/netlink.c b/src/netlink.c
index 728b6fdf95d5b59ab03e6117217d5aa16509a5fc..9f6d24c8e1e2884d7776e8f73447d6320ca6f0e4 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -195,6 +195,8 @@ struct nftnl_set *alloc_nftnl_set(const struct handle *h)
                nftnl_set_set_str(nls, NFTNL_SET_NAME, h->set);
        if (h->set_id)
                nftnl_set_set_u32(nls, NFTNL_SET_ID, h->set_id);
+       if (h->handle.id)
+               nftnl_set_set_u64(nls, NFTNL_SET_HANDLE, h->handle.id);
 
        return nls;
 }
@@ -981,6 +983,7 @@ static struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
                                           nftnl_set_get_u32(nls, NFTNL_SET_KEY_LEN) * BITS_PER_BYTE,
                                           NULL);
        set->flags   = nftnl_set_get_u32(nls, NFTNL_SET_FLAGS);
+       set->handle.handle.id = nftnl_set_get_u64(nls, NFTNL_SET_HANDLE);
 
        set->objtype = objtype;
 
@@ -1123,6 +1126,7 @@ int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
                return 0;
        }
 
+       ctx->data = h;
        err = nftnl_set_list_foreach(set_cache, list_set_cb, ctx);
        nftnl_set_list_free(set_cache);
        return err;

diff --git a/src/parser_bison.y b/src/parser_bison.y
index dd0dcc512e51737c8703eca02f718b2a4a6085b9..d4481ad6c4849f4c8a79bd23d051621909d9e903 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -509,8 +509,8 @@ int nft_lex(void *, void *, void *);
 
 %type <handle>                 table_spec tableid_spec chain_spec chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec
 %destructor { handle_free(&$$); } table_spec tableid_spec chain_spec chainid_spec flowtable_spec chain_identifier ruleid_spec handle_spec position_spec rule_position ruleset_spec
-%type <handle>                 set_spec set_identifier flowtable_identifier obj_spec obj_identifier
-%destructor { handle_free(&$$); } set_spec set_identifier obj_spec obj_identifier
+%type <handle>                 set_spec setid_spec set_identifier flowtable_identifier obj_spec obj_identifier
+%destructor { handle_free(&$$); } set_spec setid_spec set_identifier obj_spec obj_identifier
 %type <val>                    family_spec family_spec_explicit chain_policy prio_spec
 
 %type <string>                 dev_spec quota_unit
@@ -1048,6 +1048,10 @@ delete_cmd               :       TABLE           table_spec
                        {
                                $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL);
                        }
+                       |       SET             setid_spec
+                       {
+                               $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL);
+                       }
                        |       MAP             set_spec
                        {
                                $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_SET, &$2, &@$, NULL);
@@ -1856,6 +1860,14 @@ set_spec         :       table_spec      identifier
                        }
                        ;
 
+setid_spec             :       table_spec      HANDLE NUM
+                       {
+                               $$                      = $1;
+                               $$.handle.location      = @$;
+                               $$.handle.id            = $3;
+                       }
+                       ;
+
 set_identifier         :       identifier
                        {
                                memset(&$$, 0, sizeof($$));

diff --git a/src/rule.c b/src/rule.c
index 29343f75685a5898a43e1445f14b927436a3be0e..d58e58f1743acd8be85a167dc6579cbcd767eb9d 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -377,7 +377,11 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts,
                expr_print(set->init, octx);
                nft_print(octx, "%s", opts->nl);
        }
-       nft_print(octx, "%s}%s", opts->tab, opts->nl);
+       nft_print(octx, "%s}", opts->tab);
+       if (octx->handle > 0)
+               nft_print(octx, " # handle %" PRIu64, set->handle.handle.id);
+       nft_print(octx, "%s", opts->nl);
+
 }
 
 void set_print(const struct set *s, struct output_ctx *octx)