[PATCH 1/3 nft] py: extend python API to support libnftables API

[PATCH 1/3 nft] py: extend python API to support libnftables API

[Fernando Fernandez Mancera]

From: Peter Collinson <pc@hillside.co.uk>

Allows py/nftables.py to support full mapping to the libnftables API. The
changes allow python code to talk in text to the kernel rather than just
using json. The Python API can now also use dry run to test changes.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591
Signed-off-by: Peter Collinson <pc@hillside.co.uk>
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
 py/nftables.py | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)

diff --git a/py/nftables.py b/py/nftables.py
index 2a0a1e89..99ba082f 100644
--- a/py/nftables.py
+++ b/py/nftables.py
@@ -116,6 +116,24 @@ class Nftables:
         self.nft_run_cmd_from_buffer.restype = c_int
         self.nft_run_cmd_from_buffer.argtypes = [c_void_p, c_char_p]
 
+        self.nft_run_cmd_from_filename = lib.nft_run_cmd_from_filename
+        self.nft_run_cmd_from_filename.restype = c_int
+        self.nft_run_cmd_from_filename.argtypes = [c_void_p, c_char_p]
+
+        self.nft_ctx_add_include_path = lib.nft_ctx_add_include_path
+        self.nft_ctx_add_include_path.restype = c_int
+        self.nft_ctx_add_include_path.argtypes = [c_void_p, c_char_p]
+
+        self.nft_ctx_clear_include_paths = lib.nft_ctx_clear_include_paths
+        self.nft_ctx_clear_include_paths.argtypes = [c_void_p]
+
+        self.nft_ctx_get_dry_run = lib.nft_ctx_get_dry_run
+        self.nft_ctx_get_dry_run.restype = c_bool
+        self.nft_ctx_get_dry_run.argtypes = [c_void_p]
+
+        self.nft_ctx_set_dry_run = lib.nft_ctx_set_dry_run
+        self.nft_ctx_set_dry_run.argtypes = [c_void_p, c_bool]
+
         self.nft_ctx_free = lib.nft_ctx_free
         lib.nft_ctx_free.argtypes = [c_void_p]
 
@@ -446,3 +464,67 @@ class Nftables:
 
         self.validator.validate(json_root)
         return True
+
+    def cmd_from_file(self, filename):
+        """Run a nftables command set from a file
+
+        filename can be a str or a Path
+
+        Returns a tuple (rc, output, error):
+        rc     -- return code as returned by nft_run_cmd_from_buffer() function
+        output -- a string containing output written to stdout
+        error  -- a string containing output written to stderr
+        """
+
+        filename_is_unicode = False
+        if not isinstance(filename, bytes):
+            filename_is_unicode = True
+            # allow filename to be a Path
+            filename = str(filename)
+            filename= filename.encode("utf-8")
+        rc = self.nft_run_cmd_from_filename(self.__ctx, filename)
+        output = self.nft_ctx_get_output_buffer(self.__ctx)
+        error = self.nft_ctx_get_error_buffer(self.__ctx)
+        if filename_is_unicode:
+            output = output.decode("utf-8")
+            error = error.decode("utf-8")
+        return (rc, output, error)
+
+    def add_include_path(self, filename):
+        """Add a path to the include file list
+        The default list includes /etc
+
+        Returns True on success
+        False if memory allocation fails
+        """
+
+        if not isinstance(filename, bytes):
+            # allow filename to be a Path
+            filename = str(filename)
+            filename= filename.encode("utf-8")
+        rc = self.nft_ctx_add_include_path(self.__ctx, filename)
+        return rc == 0
+
+    def clear_include_paths(self):
+        """Clear include path list
+
+        Will also remove /etc
+        """
+
+        self.nft_ctx_clear_include_paths(self.__ctx)
+
+    def get_dry_run(self):
+        """Get dry run state
+
+        Returns True if set, False otherwise
+        """
+
+        return self.nft_ctx_get_dry_run(self.__ctx)
+
+    def set_dry_run(self, onoff):
+        """ Set dry run state
+
+        Called with True/False
+        """
+
+        self.nft_ctx_set_dry_run(self.__ctx, onoff)
-- 
2.30.2

[PATCH 2/3 nft] py: support variables management and fix formatting

[Fernando Fernandez Mancera]

Add nft_ctx_add_var() and nft_ctx_clear_vars() support through add_var() and
clear_vars(). Also, fix some functions documentation and drop unnecesary
comments.

In addition, modify get_dry_run() to return the previous value set. This is
needed to be consistent with the rest of the python API.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1591
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
 py/nftables.py | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/py/nftables.py b/py/nftables.py
index 99ba082f..6daeafc2 100644
--- a/py/nftables.py
+++ b/py/nftables.py
@@ -134,6 +134,13 @@ class Nftables:
         self.nft_ctx_set_dry_run = lib.nft_ctx_set_dry_run
         self.nft_ctx_set_dry_run.argtypes = [c_void_p, c_bool]
 
+        self.nft_ctx_add_var = lib.nft_ctx_add_var
+        self.nft_ctx_add_var.restype = c_int
+        self.nft_ctx_add_var.argtypes = [c_void_p, c_char_p]
+
+        self.nft_ctx_clear_vars = lib.nft_ctx_clear_vars
+        self.nft_ctx_clear_vars.argtypes = [c_void_p]
+
         self.nft_ctx_free = lib.nft_ctx_free
         lib.nft_ctx_free.argtypes = [c_void_p]
 
@@ -471,15 +478,13 @@ class Nftables:
         filename can be a str or a Path
 
         Returns a tuple (rc, output, error):
-        rc     -- return code as returned by nft_run_cmd_from_buffer() function
+        rc     -- return code as returned by nft_run_cmd_from_filename() function
         output -- a string containing output written to stdout
         error  -- a string containing output written to stderr
         """
-
         filename_is_unicode = False
         if not isinstance(filename, bytes):
             filename_is_unicode = True
-            # allow filename to be a Path
             filename = str(filename)
             filename= filename.encode("utf-8")
         rc = self.nft_run_cmd_from_filename(self.__ctx, filename)
@@ -492,14 +497,11 @@ class Nftables:
 
     def add_include_path(self, filename):
         """Add a path to the include file list
-        The default list includes /etc
+        The default list includes the built-in default one
 
-        Returns True on success
-        False if memory allocation fails
+        Returns True on success, False if memory allocation fails
         """
-
         if not isinstance(filename, bytes):
-            # allow filename to be a Path
             filename = str(filename)
             filename= filename.encode("utf-8")
         rc = self.nft_ctx_add_include_path(self.__ctx, filename)
@@ -508,9 +510,8 @@ class Nftables:
     def clear_include_paths(self):
         """Clear include path list
 
-        Will also remove /etc
+        Will also remove the built-in default one
         """
-
         self.nft_ctx_clear_include_paths(self.__ctx)
 
     def get_dry_run(self):
@@ -518,13 +519,29 @@ class Nftables:
 
         Returns True if set, False otherwise
         """
-
         return self.nft_ctx_get_dry_run(self.__ctx)
 
     def set_dry_run(self, onoff):
         """ Set dry run state
 
-        Called with True/False
+        Returns the previous dry run state
         """
-
+        old = self.get_dry_run()
         self.nft_ctx_set_dry_run(self.__ctx, onoff)
+
+        return old
+
+    def add_var(self, var):
+        """Add a variable to the variable list
+
+        Returns True if added, False otherwise
+        """
+        if not isinstance(var, bytes):
+            var = var.encode("utf-8")
+        rc = self.nft_ctx_add_var(self.__ctx, var)
+        return rc == 0
+
+    def clear_vars(self):
+        """Clear variable list
+        """
+        self.nft_ctx_clear_vars(self.__ctx)
-- 
2.30.2

[PATCH 3/3 nft] doc: add nft_ctx_add_var() and nft_ctx_clear_vars() docs

[Fernando Fernandez Mancera]

Add missing documentation for nft_ctx_add_var() and nft_ctx_clear_vars()
functions.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
---
 doc/libnftables.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index 3abb9595..550012b4 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -37,6 +37,9 @@ const char *nft_ctx_get_error_buffer(struct nft_ctx* '\*ctx'*);
 int nft_ctx_add_include_path(struct nft_ctx* '\*ctx'*, const char* '\*path'*);
 void nft_ctx_clear_include_paths(struct nft_ctx* '\*ctx'*);
 
+int nft_ctx_add_var(struct nft_ctx* '\*ctx'*, const char* '\*var'*);
+void nft_ctx_clear_vars(struct nft_ctx '\*ctx'*);
+
 int nft_run_cmd_from_buffer(struct nft_ctx* '\*nft'*, const char* '\*buf'*);
 int nft_run_cmd_from_filename(struct nft_ctx* '\*nft'*,
 			      const char* '\*filename'*);*
@@ -206,6 +209,14 @@ The function returns zero on success or non-zero if memory allocation failed.
 
 The *nft_ctx_clear_include_paths*() function removes all include paths, even the built-in default one.
 
+=== nft_ctx_add_var() and nft_ctx_clear_vars()
+The *define* command in nftables ruleset allows to define variables.
+
+The *nft_ctx_add_var*() function extends the list of variables in 'ctx'. The variable must be given in the format 'key=value'.
+The function returns zero on success or non-zero if the variable is malformed.
+
+The *nft_ctx_clear_vars*() function removes all variables.
+
 === nft_run_cmd_from_buffer() and nft_run_cmd_from_filename()
 These functions perform the actual work of parsing user input into nftables commands and executing them.
 
-- 
2.30.2

Re: [PATCH 1/3 nft] py: extend python API to support libnftables API

[Pablo Neira Ayuso]

On Mon, Sep 12, 2022 at 12:52:23PM +0200, Fernando Fernandez Mancera wrote:
> From: Peter Collinson <pc@hillside.co.uk>
> 
> Allows py/nftables.py to support full mapping to the libnftables API. The
> changes allow python code to talk in text to the kernel rather than just
> using json. The Python API can now also use dry run to test changes.

Series, applied.