src: add --check option flag

Sometimes it can be useful to test if a command is valid without
applying any change to the rule-set. This commit adds a new option
flag (-c | --check) that performs a dry run execution of the commands.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/doc/nft.xml b/doc/nft.xml
index e9ccd63c7164edd37a87aea0283f0595440e2e5b..970acb541e00412eef18247ebe3774c63416854d 100644 (file)
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -51,6 +51,9 @@ vi:ts=4 sw=4
                        <arg choice="opt">
                                <option>-s | --stateless</option>
                        </arg>
+                       <arg choice="opt">
+                               <option>-c | --check</option>
+                       </arg>
                        <arg choice="opt">
                                <option>[-I | --includepath]</option>
                                <replaceable>directory</replaceable>
@@ -129,6 +132,14 @@ vi:ts=4 sw=4
                                        </para>
                                </listitem>
                        </varlistentry>
+                       <varlistentry>
+                               <term><option>-c, --check</option></term>
+                               <listitem>
+                                       <para>
+                                               Check commands validity without actually applying the changes.
+                                       </para>
+                               </listitem>
+                       </varlistentry>
                        <varlistentry>
                                <term><option>-N</option></term>
                                <listitem>

diff --git a/include/nftables.h b/include/nftables.h
index dbd46377ce8782bcdca9e0252530c9f4eeb9b1a4..26fd34412c3f2028c536a94e465948d35c9c0f8a 100644 (file)
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -33,6 +33,7 @@ struct output_ctx {
 
 struct nft_ctx {
        struct output_ctx       output;
+       bool                    check;
 };
 
 extern unsigned int max_errors;

diff --git a/src/main.c b/src/main.c
index a94cf7cca68c7ce882b39d8de9c0c410a4db806b..7fbf00a7a55948be2fa8c713e6e74a26d40f678a 100644 (file)
--- a/src/main.c
+++ b/src/main.c
@@ -40,6 +40,7 @@ static unsigned int num_include_paths = 1;
 enum opt_vals {
        OPT_HELP                = 'h',
        OPT_VERSION             = 'v',
+       OPT_CHECK               = 'c',
        OPT_FILE                = 'f',
        OPT_INTERACTIVE         = 'i',
        OPT_INCLUDEPATH         = 'I',
@@ -51,7 +52,7 @@ enum opt_vals {
        OPT_INVALID             = '?',
 };
 
-#define OPTSTRING      "hvf:iI:vnsNa"
+#define OPTSTRING      "hvcf:iI:vnsNa"
 
 static const struct option options[] = {
        {
@@ -62,6 +63,10 @@ static const struct option options[] = {
                .name           = "version",
                .val            = OPT_VERSION,
        },
+       {
+               .name           = "check",
+               .val            = OPT_CHECK,
+       },
        {
                .name           = "file",
                .val            = OPT_FILE,
@@ -113,6 +118,7 @@ static void show_help(const char *name)
 "  -h, --help                  Show this help\n"
 "  -v, --version                       Show version information\n"
 "\n"
+"  -c, --check                 Check commands validity without actually applying the changes.\n"
 "  -f, --file <filename>               Read input from <filename>\n"
 "  -i, --interactive           Read input from interactive CLI\n"
 "\n"
@@ -202,7 +208,8 @@ static int nft_netlink(struct nft_ctx *nft, struct parser_state *state,
                if (ret < 0)
                        goto out;
        }
-       mnl_batch_end(batch);
+       if (!nft->check)
+               mnl_batch_end(batch);
 
        if (!mnl_batch_ready(batch))
                goto out;
@@ -278,6 +285,9 @@ int main(int argc, char * const *argv)
                        printf("%s v%s (%s)\n",
                               PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
                        exit(NFT_EXIT_SUCCESS);
+               case OPT_CHECK:
+                       nft.check = true;
+                       break;
                case OPT_FILE:
                        filename = optarg;
                        break;