[PATCH nft 0/7] listing command updates

[PATCH nft 0/7] listing command updates

[Pablo Neira Ayuso]

Hi,

This patchset is following up after:

http://www.spinics.net/lists/netfilter-devel/msg38491.html

In a nutshell, what I'm proposing is that:

* `list {tables,chains,sets}' only display the object declaration, not its
  definition (ie. content). Moreover, if no family is specified, then they
  show all families to get this aligned with `list ruleset'.

* If you want to obtain the objects definition, then you use the
  `list {table,chain,set}' variant.

* We always provide an output that doesn't break `nft -f'.

Let me know if you have any comment,
Thanks.

Pablo Neira Ayuso (7):
  rule: display table when listing sets
  src: add `list chains' command
  rule: display table when listing one set
  evaluate: check if set exists before listing it
  rule: `list sets' only displays declaration, not definition
  rule: rework list chain
  parser_bison: show all sets via list sets with no family

 include/rule.h     |  2 ++
 src/evaluate.c     | 13 +++++++-
 src/parser_bison.y | 18 ++++------
 src/rule.c         | 97 ++++++++++++++++++++++++++++++++++++++++++++++++++----
 4 files changed, 111 insertions(+), 19 deletions(-)

-- 
2.1.4

[PATCH nft 1/7] rule: display table when listing sets

[Pablo Neira Ayuso]

After this patch:

 # nft list sets ip
 table ip test {
        set pepe {
                type ipv4_addr
        }
 }

Before:

 # nft list sets ip
        set pepe {
                type ipv4_addr
        }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 92b83f0..71b26e3 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -983,8 +983,18 @@ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
 	struct set *set;
 
 	list_for_each_entry(table, &table_list, list) {
+		if (cmd->handle.family != NFPROTO_UNSPEC &&
+		    cmd->handle.family != table->handle.family)
+			continue;
+
+		printf("table %s %s {\n",
+		       family2str(table->handle.family),
+		       table->handle.table);
+
 		list_for_each_entry(set, &table->sets, list)
 			set_print(set);
+
+		printf("}\n");
 	}
 	return 0;
 }
-- 
2.1.4

[PATCH nft 2/7] src: add `list chains' command

[Pablo Neira Ayuso]

 # nft list chains
 table ip filter {
        chain test1 {
        }
        chain test2 {
        }
        chain input {
                type filter hook input priority 0; policy accept;
        }
 }
 table ip6 filter {
        chain test1 {
        }
        chain input {
                type filter hook input priority 0; policy accept;
        }
 }

You can also filter out per family:

 # nft list chains ip
 table ip x {
        chain y {
        }
        chain xz {
        }
        chain input {
                type filter hook input priority 0; policy accept;
        }
 }

 # nft list chains ip6
 table ip6 filter {
        chain x {
        }
        chain input {
                type filter hook input priority 0; policy accept;
        }
 }

This command only shows the chain declarations, so the content (the
definition) is omitted.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/rule.h     |  2 ++
 src/evaluate.c     |  1 +
 src/parser_bison.y |  4 ++++
 src/rule.c         | 38 +++++++++++++++++++++++++++++++++++---
 4 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/include/rule.h b/include/rule.h
index f137a4c..30b4597 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -270,6 +270,7 @@ enum cmd_ops {
  * @CMD_OBJ_SETS:	multiple sets
  * @CMD_OBJ_RULE:	rule
  * @CMD_OBJ_CHAIN:	chain
+ * @CMD_OBJ_CHAINS:	multiple chains
  * @CMD_OBJ_TABLE:	table
  * @CMD_OBJ_RULESET:	ruleset
  * @CMD_OBJ_EXPR:	expression
@@ -283,6 +284,7 @@ enum cmd_obj {
 	CMD_OBJ_SETS,
 	CMD_OBJ_RULE,
 	CMD_OBJ_CHAIN,
+	CMD_OBJ_CHAINS,
 	CMD_OBJ_TABLE,
 	CMD_OBJ_RULESET,
 	CMD_OBJ_EXPR,
diff --git a/src/evaluate.c b/src/evaluate.c
index e8eafc6..9762586 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2105,6 +2105,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 			return cmd_error(ctx, "Could not process rule: Chain '%s' does not exist",
 					 cmd->handle.chain);
 		return 0;
+	case CMD_OBJ_CHAINS:
 	case CMD_OBJ_SETS:
 	case CMD_OBJ_RULESET:
 		return 0;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 3c371ba..86e2dc9 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -780,6 +780,10 @@ list_cmd		:	TABLE		table_spec
 			{
 				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_CHAIN, &$2, &@$, NULL);
 			}
+			|	CHAINS		ruleset_spec
+			{
+				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_CHAINS, &$2, &@$, NULL);
+			}
 			|	SETS		tables_spec
 			{
 				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SETS, &$2, &@$, NULL);
diff --git a/src/rule.c b/src/rule.c
index 71b26e3..4e4126d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -600,10 +600,8 @@ static const char *chain_policy2str(uint32_t policy)
 	return "unknown";
 }
 
-static void chain_print(const struct chain *chain)
+static void chain_print_declaration(const struct chain *chain)
 {
-	struct rule *rule;
-
 	printf("\tchain %s {\n", chain->handle.chain);
 	if (chain->flags & CHAIN_F_BASECHAIN) {
 		if (chain->dev != NULL) {
@@ -619,6 +617,14 @@ static void chain_print(const struct chain *chain)
 			       chain->priority, chain_policy2str(chain->policy));
 		}
 	}
+}
+
+static void chain_print(const struct chain *chain)
+{
+	struct rule *rule;
+
+	chain_print_declaration(chain);
+
 	list_for_each_entry(rule, &chain->rules, list) {
 		printf("\t\t");
 		rule_print(rule);
@@ -1036,6 +1042,30 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
+static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
+{
+	struct table *table;
+	struct chain *chain;
+
+	list_for_each_entry(table, &table_list, list) {
+		if (cmd->handle.family != NFPROTO_UNSPEC &&
+		    cmd->handle.family != table->handle.family)
+			continue;
+
+		printf("table %s %s {\n",
+		       family2str(table->handle.family),
+		       table->handle.table);
+
+		list_for_each_entry(chain, &table->chains, list) {
+			chain_print_declaration(chain);
+			printf("\t}\n");
+		}
+		printf("}\n");
+	}
+
+	return 0;
+}
+
 static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
 		       struct table *table)
 {
@@ -1063,6 +1093,8 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
 		return do_list_table(ctx, cmd, table);
 	case CMD_OBJ_CHAIN:
 		return do_list_table(ctx, cmd, table);
+	case CMD_OBJ_CHAINS:
+		return do_list_chains(ctx, cmd);
 	case CMD_OBJ_SETS:
 		return do_list_sets(ctx, cmd);
 	case CMD_OBJ_SET:
-- 
2.1.4

[PATCH nft 3/7] rule: display table when listing one set

[Pablo Neira Ayuso]

After:

 # nft list set ip6 test foo
 table ip6 test {
        set foo {
                type ipv4_addr
        }
 }

Before:

  # nft list set ip6 test foo
        set foo {
                type ipv4_addr
        }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index 4e4126d..58bac76 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1042,6 +1042,13 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
+static void table_print_declaration(struct table *table)
+{
+	printf("table %s %s {\n",
+		family2str(table->handle.family),
+		table->handle.table);
+}
+
 static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
 {
 	struct table *table;
@@ -1052,9 +1059,7 @@ static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
 		    cmd->handle.family != table->handle.family)
 			continue;
 
-		printf("table %s %s {\n",
-		       family2str(table->handle.family),
-		       table->handle.table);
+		table_print_declaration(table);
 
 		list_for_each_entry(chain, &table->chains, list) {
 			chain_print_declaration(chain);
@@ -1075,7 +1080,10 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
 	if (set == NULL)
 		return -1;
 
+	table_print_declaration(table);
 	set_print(set);
+	printf("}\n");
+
 	return 0;
 }
 
-- 
2.1.4

[PATCH nft 4/7] evaluate: check if set exists before listing it

[Pablo Neira Ayuso]

After this patch, we obtain:

 # nft list set ip6 test pepe
 <cmdline>:1:1-22: Error: Could not process rule: Set 'foo' does not exist
 list set ip6 test foo
 ^^^^^^^^^^^^^^^^^^^^^

So we get things aligned with table and chain listing commands.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 9762586..4f9299e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2091,10 +2091,20 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 	case CMD_OBJ_TABLE:
 		if (cmd->handle.table == NULL)
 			return 0;
+
+		table = table_lookup(&cmd->handle);
+		if (table == NULL)
+			return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
+					 cmd->handle.table);
+		return 0;
 	case CMD_OBJ_SET:
-		if (table_lookup(&cmd->handle) == NULL)
+		table = table_lookup(&cmd->handle);
+		if (table == NULL)
 			return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
 					 cmd->handle.table);
+		if (set_lookup(table, cmd->handle.set) == NULL)
+			return cmd_error(ctx, "Could not process rule: Set '%s' does not exist",
+					 cmd->handle.set);
 		return 0;
 	case CMD_OBJ_CHAIN:
 		table = table_lookup(&cmd->handle);
-- 
2.1.4

[PATCH nft 5/7] rule: `list sets' only displays declaration, not definition

[Pablo Neira Ayuso]

 # nft list sets
 table ip nat {
        set libssh {
                type ipv4_addr
        }
 }
 table inet filter {
        set set0 {
                type inet_service
                flags constant
        }
        set set1 {
                type inet_service
                flags constant
        }
        set set2 {
                type icmpv6_type
                flags constant
        }
 }

So in case you want to inspect the definition, you have to use `list set'
and the specific set that you want to inspect:

 # nft list set inet filter set0
 table inet filter {
        set set0 {
                type inet_service
                flags constant
                elements = { 2200, ssh}
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index 58bac76..08db38b 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -254,7 +254,8 @@ static const char *set_policy2str(uint32_t policy)
 	}
 }
 
-static void do_set_print(const struct set *set, struct print_fmt_options *opts)
+static void set_print_declaration(const struct set *set,
+				  struct print_fmt_options *opts)
 {
 	const char *delim = "";
 	const char *type;
@@ -322,6 +323,11 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts)
 		time_print(set->gc_int / 1000);
 		printf("%s", opts->nl);
 	}
+}
+
+static void do_set_print(const struct set *set, struct print_fmt_options *opts)
+{
+	set_print_declaration(set, opts);
 
 	if (set->init != NULL && set->init->size > 0) {
 		printf("%s%selements = ", opts->tab, opts->tab);
@@ -985,6 +991,11 @@ static int do_list_table(struct netlink_ctx *ctx, struct cmd *cmd,
 
 static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
 {
+	struct print_fmt_options opts = {
+		.tab		= "\t",
+		.nl		= "\n",
+		.stmt_separator	= "\n",
+	};
 	struct table *table;
 	struct set *set;
 
@@ -997,8 +1008,10 @@ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
 		       family2str(table->handle.family),
 		       table->handle.table);
 
-		list_for_each_entry(set, &table->sets, list)
-			set_print(set);
+		list_for_each_entry(set, &table->sets, list) {
+			set_print_declaration(set, &opts);
+			printf("%s}%s", opts.tab, opts.nl);
+		}
 
 		printf("}\n");
 	}
-- 
2.1.4

[PATCH nft 6/7] rule: rework list chain

[Pablo Neira Ayuso]

After this patch:

 # nft list chain inet filter forward
 table inet filter {
        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related counter packets 39546074 bytes 11566126287 accept
        }
 }

Before this patch, this was showing the full table definition, including
all chains, which is not what the user is asking for.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/rule.c b/src/rule.c
index 08db38b..6d617d2 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -1062,6 +1062,26 @@ static void table_print_declaration(struct table *table)
 		table->handle.table);
 }
 
+static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd,
+			 struct table *table)
+{
+	struct chain *chain;
+
+	table_print_declaration(table);
+
+	list_for_each_entry(chain, &table->chains, list) {
+		if (chain->handle.family != cmd->handle.family ||
+		    strcmp(cmd->handle.chain, chain->handle.chain) != 0)
+			continue;
+
+		chain_print(chain);
+	}
+
+	printf("}\n");
+
+	return 0;
+}
+
 static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
 {
 	struct table *table;
@@ -1113,7 +1133,7 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd)
 			return do_list_tables(ctx, cmd);
 		return do_list_table(ctx, cmd, table);
 	case CMD_OBJ_CHAIN:
-		return do_list_table(ctx, cmd, table);
+		return do_list_chain(ctx, cmd, table);
 	case CMD_OBJ_CHAINS:
 		return do_list_chains(ctx, cmd);
 	case CMD_OBJ_SETS:
-- 
2.1.4

[PATCH nft 7/7] parser_bison: show all sets via list sets with no family

[Pablo Neira Ayuso]

Default to the same behaviour that we get through `list ruleset', ie.

 # nft list sets
 table ip test1 {
        set foo {
                type ipv4_addr
        }
 }
 table ip6 test2 {
        set bar {
                type ipv6_addr
        }
 }

 # nft list sets ip
 table ip test1 {
        set foo {
                type ipv4_addr
        }
 }

 # nft list sets ip6
 table ip6 test2 {
        set bar {
                type ipv6_addr
        }
 }

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 86e2dc9..98480b6 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -416,8 +416,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %type <cmd>			base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd
 %destructor { cmd_free($$); }	base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd describe_cmd
 
-%type <handle>			table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec
-%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec
+%type <handle>			table_spec chain_spec chain_identifier ruleid_spec ruleset_spec
+%destructor { handle_free(&$$); } table_spec chain_spec chain_identifier ruleid_spec ruleset_spec
 %type <handle>			set_spec set_identifier
 %destructor { handle_free(&$$); } set_spec set_identifier
 %type <val>			handle_spec family_spec family_spec_explicit position_spec chain_policy
@@ -784,7 +784,7 @@ list_cmd		:	TABLE		table_spec
 			{
 				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_CHAINS, &$2, &@$, NULL);
 			}
-			|	SETS		tables_spec
+			|	SETS		ruleset_spec
 			{
 				$$ = cmd_alloc(CMD_LIST, CMD_OBJ_SETS, &$2, &@$, NULL);
 			}
@@ -1195,14 +1195,6 @@ table_spec		:	family_spec	identifier
 			}
 			;
 
-tables_spec		:	family_spec
-			{
-				memset(&$$, 0, sizeof($$));
-				$$.family	= $1;
-				$$.table	= NULL;
-			}
-			;
-
 chain_spec		:	table_spec	identifier
 			{
 				$$		= $1;
-- 
2.1.4

Re: [PATCH nft 0/7] listing command updates

[Arturo Borrero Gonzalez]

On 8 October 2015 at 22:49, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Hi,
>
> This patchset is following up after:
>
> http://www.spinics.net/lists/netfilter-devel/msg38491.html
>
> In a nutshell, what I'm proposing is that:
>
> * `list {tables,chains,sets}' only display the object declaration, not its
>   definition (ie. content). Moreover, if no family is specified, then they
>   show all families to get this aligned with `list ruleset'.
>
> * If you want to obtain the objects definition, then you use the
>   `list {table,chain,set}' variant.
>
> * We always provide an output that doesn't break `nft -f'.
>
> Let me know if you have any comment,

I agree with the changes :-)

Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 0/7] listing command updates

[Pablo Neira Ayuso]

On Fri, Oct 09, 2015 at 09:09:10AM +0200, Arturo Borrero Gonzalez wrote:
> On 8 October 2015 at 22:49, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Hi,
> >
> > This patchset is following up after:
> >
> > http://www.spinics.net/lists/netfilter-devel/msg38491.html
> >
> > In a nutshell, what I'm proposing is that:
> >
> > * `list {tables,chains,sets}' only display the object declaration, not its
> >   definition (ie. content). Moreover, if no family is specified, then they
> >   show all families to get this aligned with `list ruleset'.
> >
> > * If you want to obtain the objects definition, then you use the
> >   `list {table,chain,set}' variant.
> >
> > * We always provide an output that doesn't break `nft -f'.
> >
> > Let me know if you have any comment,
> 
> I agree with the changes :-)
> 
> Acked-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>

Just pushed out this. Please, help testing, thanks.