[nftables PATCH 0/2] work on restoration

[nftables PATCH 0/2] work on restoration

[Eric Leblond]

This small patchset is an effort to make restoration possible.
The commands:
	nft list table filter >rule.dump
	nft -f rule.dump
should backup and restore the ruleset.

This patchset fixes restoration for some ruleset. Ruleset
using limit are currently not supported. I've created a ticket
on bugzilla (http://bugzilla.netfilter.org/show_bug.cgi?id=827).

BR,
--
Eric

[nftables PATCH 1/2] rule: display hook info

[Eric Leblond]

It was not possible to restore a ruleset because of missing
hook information. This patch adds hooknum output to list
operation.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/rule.c |   30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index e7627a7..663a7c8 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -19,6 +19,8 @@
 #include <rule.h>
 #include <utils.h>
 
+#include <netinet/ip.h>
+#include <linux/netfilter.h>
 
 void handle_free(struct handle *h)
 {
@@ -224,11 +226,39 @@ struct chain *chain_lookup(const struct table *table, const struct handle *h)
 	return NULL;
 }
 
+static void hooknum_print(unsigned int hooknum)
+{
+	switch (hooknum) {
+		case NF_INET_PRE_ROUTING:
+			printf("NF_INET_PRE_ROUTING");
+			break;
+		case NF_INET_LOCAL_IN:
+			printf("NF_INET_LOCAL_IN");
+			break;
+		case NF_INET_FORWARD:
+			printf("NF_INET_FORWARD");
+			break;
+		case NF_INET_LOCAL_OUT:
+			printf("NF_INET_LOCAL_OUT");
+			break;
+		case NF_INET_POST_ROUTING:
+			printf("NF_INET_POST_ROUTING");
+			break;
+		default:
+			printf("UNKNOWN");
+	}
+}
+
 static void chain_print(const struct chain *chain)
 {
 	struct rule *rule;
 
 	printf("\tchain %s {\n", chain->handle.chain);
+	if (chain->hooknum) {
+		printf("\t\t hook ");
+		hooknum_print(chain->hooknum);
+		printf("\t\t%u;\n", chain->priority);
+	}
 	list_for_each_entry(rule, &chain->rules, list) {
 		printf("\t\t");
 		rule_print(rule);
-- 
1.7.10.4

[nftables PATCH 2/2] counter: fix restoration

[Eric Leblond]

It was not possible to restore a ruleset countaining counter. The
packets and bytes fields were not known from the parser but they
were in the output of the list command.
This patch fixes the issue by restoring correctly the counters if
they are present in the command.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/netlink_linearize.c |    4 ++++
 src/parser.y            |   28 +++++++++++++++++++++++++---
 src/scanner.l           |    2 ++
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index cfd6691..accab9c 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -440,6 +440,10 @@ static void netlink_gen_counter_stmt(struct netlink_linearize_ctx *ctx,
 	struct nfnl_nft_expr *nle;
 
 	nle = alloc_nft_expr(nfnl_nft_counter_init);
+	if (stmt->counter.packets)
+		nfnl_nft_counter_set_packets(nle, stmt->counter.packets);
+	if (stmt->counter.bytes)
+		nfnl_nft_counter_set_bytes(nle, stmt->counter.bytes);
 	nfnl_nft_rule_add_expr(ctx->nlr, nle);
 }
 
diff --git a/src/parser.y b/src/parser.y
index 1232220..2923b59 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -300,6 +300,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token PROTO_DST		"proto-dst"
 
 %token COUNTER			"counter"
+%token PACKETS			"packets"
+%token BYTES			"bytes"
 
 %token LOG			"log"
 %token PREFIX			"prefix"
@@ -356,8 +358,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %destructor { stmt_list_free($$); xfree($$); } stmt_list
 %type <stmt>			stmt match_stmt verdict_stmt
 %destructor { stmt_free($$); }	stmt match_stmt verdict_stmt
-%type <stmt>			counter_stmt
-%destructor { stmt_free($$); }	counter_stmt
+%type <stmt>			counter_stmt counter_stmt_alloc
+%destructor { stmt_free($$); }	counter_stmt counter_stmt_alloc
 %type <stmt>			meta_stmt
 %destructor { stmt_free($$); }	meta_stmt
 %type <stmt>			log_stmt log_stmt_alloc
@@ -892,12 +894,32 @@ verdict_stmt		:	verdict_expr
 			}
 			;
 
-counter_stmt		:	COUNTER
+counter_stmt		:	counter_stmt_alloc
+			|	counter_stmt_alloc	counter_args
+
+counter_stmt_alloc	:	COUNTER
 			{
 				$$ = counter_stmt_alloc(&@$);
 			}
 			;
 
+counter_args		:	counter_arg
+			{
+				$<stmt>$	= $<stmt>0;
+			}
+			|	counter_args	counter_arg
+			;
+
+counter_arg		:	PACKETS			NUM
+			{
+				$<stmt>0->counter.packets = $2;
+			}
+			|	BYTES			NUM
+			{
+				$<stmt>0->counter.bytes	 = $2;
+			}
+			;
+
 log_stmt		:	log_stmt_alloc
 			|	log_stmt_alloc		log_args
 			;
diff --git a/src/scanner.l b/src/scanner.l
index edecf7b..fe7b86c 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -250,6 +250,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "rename"		{ return RENAME; }
 
 "counter"		{ return COUNTER; }
+"packets"		{ return PACKETS; }
+"bytes"			{ return BYTES; }
 
 "log"			{ return LOG; }
 "prefix"		{ return PREFIX; }
-- 
1.7.10.4

Re: [nftables PATCH 1/2] rule: display hook info

[Pablo Neira Ayuso]

On Sun, Jun 09, 2013 at 01:08:46AM +0200, Eric Leblond wrote:
> It was not possible to restore a ruleset because of missing
> hook information. This patch adds hooknum output to list
> operation.

I have mangled this patch to use a string array instead. I have pushed
it to master.

Re: [nftables PATCH 2/2] counter: fix restoration

[Pablo Neira Ayuso]

On Sun, Jun 09, 2013 at 01:08:47AM +0200, Eric Leblond wrote:
> It was not possible to restore a ruleset countaining counter. The
> packets and bytes fields were not known from the parser but they
> were in the output of the list command.
> This patch fixes the issue by restoring correctly the counters if
> they are present in the command.

Applied, thanks Eric.