git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 24 Aug 2018 09:04:30 +0000 (11:04 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 24 Aug 2018 10:25:33 +0000 (12:25 +0200)
commit	9e45a28ca467f08b9c01baf73d1849055e53ea0b
tree	1eb0c76d643e66383230428aac3054d6310d15c2	tree \| snapshot
parent	cebbd9678b7ee6f74b3bd4eefc23de5b27135799	commit \| diff

src: honor /etc/services

This partial patch reverts:

ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
f0f99006d34b ("datatype: Replace getaddrinfo() by internal lookup table")

so /etc/services is used to interpret service names, eg.

# nft add rule x y tcp dport \"ssh\"

Then, listing looks like:

# nft list ruleset -l
table x {
chain y {
...
tcp dport "ssh"
}
}

Major changes with regards to the original approach are:

1) Services are displayed in text via `-l' option.
2) Services are user-defined, just like mappings in /etc/iproute2/*
files and connlabel.conf, so they are displayed enclosed in quotes.

Note that original service name code was broken since it parses both udp
and tcp service names but it only displays tcp services names as
literal. This is because NI_DGRAM is missing. This patch makes nft falls
back on udp services if no literal was found in the initial tcp service
name query. Proper way to handle would be to add infrastructure to store
protocol context information in struct output_ctx.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/datatype.h		diff \| blob \| blame \| history
src/Makefile.am		diff \| blob \| blame \| history
src/datatype.c		diff \| blob \| blame \| history
src/json.c		diff \| blob \| blame \| history
src/services.c	[deleted file]	blob \| blame \| history