[nftables PATCH] rule: display rule handle as comment

[nftables PATCH] rule: display rule handle as comment

[Eric Leblond]

Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/rule.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/rule.c b/src/rule.c
index 9d9eaee..b2d7844 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -13,6 +13,7 @@
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
+#include <inttypes.h>
 
 #include <statement.h>
 #include <rule.h>
@@ -136,6 +137,7 @@ void rule_print(const struct rule *rule)
 		printf(" ");
 		stmt->ops->print(stmt);
 	}
+	printf(" # handle %" PRIu64, rule->handle.handle);
 	printf("\n");
 }
 
-- 
1.7.10.4

Re: [nftables PATCH] rule: display rule handle as comment

[Pablo Neira Ayuso]

Hi Eric,

On Tue, May 21, 2013 at 01:09:00AM +0200, Eric Leblond wrote:
> Knowing the rule handle is necessary to be able to delete a single
> rule. It was not displayed till now in the output and it was thus
> impossible to remove a single rule.
> This patch modify the listing output to add a comment containing
> the handle.

Thanks for the patch.

Could you add some option, eg. -a/--handle, so the handle is shown
only if we invoke:

nft -a list table filter

We also support:

nft list table filter > rule-set-file
nft -f rule-set-file

And the handle number will not be of any use there.

[nftables PATCH] rule: add flag to display rule handle as comment

[Eric Leblond]

Knowing the rule handle is necessary to be able to delete a single
rule. It was not displayed till now in the output and it was thus
impossible to remove a single rule.
This patch modify the listing output to add a comment containing
the handle when the -a/--handle flag is provided.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables.h |    1 +
 src/main.c         |   12 +++++++++++-
 src/rule.c         |    3 +++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/include/nftables.h b/include/nftables.h
index 0eab1e5..ff91d93 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -21,6 +21,7 @@ enum debug_level {
 #define INCLUDE_PATHS_MAX	16
 
 extern unsigned int numeric_output;
+extern unsigned int handle_output;
 extern unsigned int debug_level;
 extern const char *include_paths[INCLUDE_PATHS_MAX];
 
diff --git a/src/main.c b/src/main.c
index 283ec28..48d4e03 100644
--- a/src/main.c
+++ b/src/main.c
@@ -26,6 +26,7 @@
 #include <erec.h>
 
 unsigned int numeric_output;
+unsigned int handle_output;
 #ifdef DEBUG
 unsigned int debug_level;
 #endif
@@ -41,10 +42,11 @@ enum opt_vals {
 	OPT_INCLUDEPATH		= 'I',
 	OPT_NUMERIC		= 'n',
 	OPT_DEBUG		= 'd',
+	OPT_HANDLE_OUTPUT	= 'a',
 	OPT_INVALID		= '?',
 };
 
-#define OPTSTRING	"hvf:iI:vn"
+#define OPTSTRING	"hvf:iI:vna"
 
 static const struct option options[] = {
 	{
@@ -81,6 +83,10 @@ static const struct option options[] = {
 	},
 #endif
 	{
+		.name		= "handle",
+		.val		= OPT_HANDLE_OUTPUT,
+	},
+	{
 		.name		= NULL
 	}
 };
@@ -100,6 +106,7 @@ static void show_help(const char *name)
 "  -n/--numeric			When specified once, show network addresses numerically.\n"
 "  				When specified twice, also show Internet protocols,\n"
 "				Internet services, user IDs and group IDs numerically.\n"
+"  -a/--handle			Output rule handle.\n"
 "  -I/--includepath <directory>	Add <directory> to the paths searched for include files.\n"
 #ifdef DEBUG
 "  --debug <level [,level...]>	Specify debugging level (scanner, parser, eval, netlink, all)\n"
@@ -244,6 +251,9 @@ int main(int argc, char * const *argv)
 			}
 			break;
 #endif
+		case OPT_HANDLE_OUTPUT:
+			handle_output++;
+			break;
 		case OPT_INVALID:
 			exit(NFT_EXIT_FAILURE);
 		}
diff --git a/src/rule.c b/src/rule.c
index 9d9eaee..e77323d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -13,6 +13,7 @@
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
+#include <inttypes.h>
 
 #include <statement.h>
 #include <rule.h>
@@ -136,6 +137,8 @@ void rule_print(const struct rule *rule)
 		printf(" ");
 		stmt->ops->print(stmt);
 	}
+	if (handle_output > 0)
+		printf(" # handle %" PRIu64, rule->handle.handle);
 	printf("\n");
 }
 
-- 
1.7.10.4

Re: [nftables PATCH] rule: add flag to display rule handle as comment

[Pablo Neira Ayuso]

On Thu, May 30, 2013 at 04:22:46PM +0200, Eric Leblond wrote:
> Knowing the rule handle is necessary to be able to delete a single
> rule. It was not displayed till now in the output and it was thus
> impossible to remove a single rule.
> This patch modify the listing output to add a comment containing
> the handle when the -a/--handle flag is provided.

Applied, thanks Eric!

Re: [nftables PATCH] rule: display rule handle as comment

[Patrick McHardy]

Eric Leblond <eric@regit.org> schrieb:

>Knowing the rule handle is necessary to be able to delete a single
>rule. It was not displayed till now in the output and it was thus
>impossible to remove a single rule.
>This patch modify the listing output to add a comment containing
>the handle.
>
>Signed-off-by: Eric Leblond <eric@regit.org>
>---
> src/rule.c |    2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/src/rule.c b/src/rule.c
>index 9d9eaee..b2d7844 100644
>--- a/src/rule.c
>+++ b/src/rule.c
>@@ -13,6 +13,7 @@
> #include <stdio.h>
> #include <stdint.h>
> #include <string.h>
>+#include <inttypes.h>
> 
> #include <statement.h>
> #include <rule.h>
>@@ -136,6 +137,7 @@ void rule_print(const struct rule *rule)
> 		printf(" ");
> 		stmt->ops->print(stmt);
> 	}
>+	printf(" # handle %" PRIu64, rule->handle.handle);
> 	printf("\n");
> }
> 

The output is supposed to be parsable again and should also remain as readable as possible. I discussed this with Pablo, we agreed on adding a command line switch for this.

Re: [nftables PATCH] rule: display rule handle as comment

[Jesper Dangaard Brouer]

On Tue, 21 May 2013, Eric Leblond wrote:

> Knowing the rule handle is necessary to be able to delete a single
> rule. It was not displayed till now in the output and it was thus
> impossible to remove a single rule.

The current iptables system supports deleting a specific rule by simply 
specifying iptables -D [...] instead of equivilant iptables -A [...]

Would it be possible to keep this semantics in nftables?

Hilsen
   Jesper Brouer

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------

Re: [nftables PATCH] rule: display rule handle as comment

[Patrick McHardy]

On Wed, May 22, 2013 at 03:53:26PM +0200, Jesper Dangaard Brouer wrote:
> 
> On Tue, 21 May 2013, Eric Leblond wrote:
> 
> >Knowing the rule handle is necessary to be able to delete a single
> >rule. It was not displayed till now in the output and it was thus
> >impossible to remove a single rule.
> 
> The current iptables system supports deleting a specific rule by
> simply specifying iptables -D [...] instead of equivilant iptables
> -A [...]
> 
> Would it be possible to keep this semantics in nftables?

Yes, I wanted to add that feature myself. Implementation would be similar
to what we do in iptables, IOW we'd compare either the netlink commands
constructed from the rule specification or the internal expression
representation, whatever seems better suited.