rule: add flag to display rule handle as comment

Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle when the -a/--handle flag is provided.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/nftables.h b/include/nftables.h
index 0eab1e50cdf259e0cceae693f5c4d8b493760051..ff91d93423619fbe1f710b5cd5405e072691e109 100644 (file)
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -21,6 +21,7 @@ enum debug_level {
 #define INCLUDE_PATHS_MAX      16
 
 extern unsigned int numeric_output;
+extern unsigned int handle_output;
 extern unsigned int debug_level;
 extern const char *include_paths[INCLUDE_PATHS_MAX];
 

diff --git a/src/main.c b/src/main.c
index 283ec289e06847123b2ba70f0ece490b872d048d..48d4e038a642716aa52d0b528ee9990c7f5e4259 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -26,6 +26,7 @@
 #include <erec.h>
 
 unsigned int numeric_output;
+unsigned int handle_output;
 #ifdef DEBUG
 unsigned int debug_level;
 #endif
@@ -41,10 +42,11 @@ enum opt_vals {
        OPT_INCLUDEPATH         = 'I',
        OPT_NUMERIC             = 'n',
        OPT_DEBUG               = 'd',
+       OPT_HANDLE_OUTPUT       = 'a',
        OPT_INVALID             = '?',
 };
 
-#define OPTSTRING      "hvf:iI:vn"
+#define OPTSTRING      "hvf:iI:vna"
 
 static const struct option options[] = {
        {
@@ -80,6 +82,10 @@ static const struct option options[] = {
                .has_arg        = 1,
        },
 #endif
+       {
+               .name           = "handle",
+               .val            = OPT_HANDLE_OUTPUT,
+       },
        {
                .name           = NULL
        }
@@ -100,6 +106,7 @@ static void show_help(const char *name)
 "  -n/--numeric                        When specified once, show network addresses numerically.\n"
 "                              When specified twice, also show Internet protocols,\n"
 "                              Internet services, user IDs and group IDs numerically.\n"
+"  -a/--handle                 Output rule handle.\n"
 "  -I/--includepath <directory>        Add <directory> to the paths searched for include files.\n"
 #ifdef DEBUG
 "  --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, all)\n"
@@ -244,6 +251,9 @@ int main(int argc, char * const *argv)
                        }
                        break;
 #endif
+               case OPT_HANDLE_OUTPUT:
+                       handle_output++;
+                       break;
                case OPT_INVALID:
                        exit(NFT_EXIT_FAILURE);
                }

diff --git a/src/rule.c b/src/rule.c
index 9d9eaee3e22982b65c8dbcddd66ab7835a059dee..e77323d87b0d2ec618257e544c1c2395d6811abe 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -13,6 +13,7 @@
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
+#include <inttypes.h>
 
 #include <statement.h>
 #include <rule.h>
@@ -136,6 +137,8 @@ void rule_print(const struct rule *rule)
                printf(" ");
                stmt->ops->print(stmt);
        }
+       if (handle_output > 0)
+               printf(" # handle %" PRIu64, rule->handle.handle);
        printf("\n");
 }