[PATCH nft v3 0/2] Add option to omit sets elements from listings.

[PATCH nft v3 0/2] Add option to omit sets elements from listings.

[Jeremy Sowden]

From https://bugzilla.netfilter.org/show_bug.cgi?id=1374:

  Listing an entire ruleset or a table with 'nft list ...' will also
  print all elements of all set definitions within the ruleset or
  requested table. Seeing the full set contents is not often necessary
  especially when requesting to see someone's ruleset for help and
  support purposes. It would be helpful if there was an option/flag for
  the nft tool to suppress set contents when listing.

This patch series implements the request by adding a new option: `-t`,
`--terse`.

Since v2:

  * changed the short option for `--numeric-time` from `-t` to `-T`;
  * used a new option (`-t`, `--terse`) instead of extending
    `--stateless`.

Since v1:

  * updated man-page and usage;
  * dropped 'dynamic' as a possible parameter-value.

Jeremy Sowden (2):
  src: use `-T` as the short option for `--numeric-time`.
  src: add --terse to suppress output of set elements.

 doc/libnftables.adoc           | 21 ++++++++++++---------
 doc/nft.txt                    |  6 +++++-
 include/nftables.h             |  5 +++++
 include/nftables/libnftables.h |  1 +
 src/main.c                     | 15 ++++++++++++---
 src/rule.c                     |  3 ++-
 6 files changed, 37 insertions(+), 14 deletions(-)

-- 
2.23.0

[PATCH nft v3 1/2] src: use `-T` as the short option for `--numeric-time`.

[Jeremy Sowden]

A new `--terse` option will be introduced in a later patch.  Change the
short option used for `--numeric-time` from `-t` to `-T` in order to
leave `-t` free.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 doc/nft.txt | 2 +-
 src/main.c  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/nft.txt b/doc/nft.txt
index 9bc5986b6416..616640a84c94 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -93,7 +93,7 @@ For a full summary of options, run *nft --help*.
 	Read input from an interactive readline CLI. You can use quit to exit, or use the EOF marker,
 	normally this is CTRL-D.
 
-*-t*::
+*-T*::
 *--numeric-time*::
 	Show time, day and hour values in numeric format.
 
diff --git a/src/main.c b/src/main.c
index 577850e54f68..238c5e0bf9ef 100644
--- a/src/main.c
+++ b/src/main.c
@@ -42,10 +42,10 @@ enum opt_vals {
 	OPT_GUID		= 'u',
 	OPT_NUMERIC_PRIO	= 'y',
 	OPT_NUMERIC_PROTO	= 'p',
-	OPT_NUMERIC_TIME	= 't',
+	OPT_NUMERIC_TIME	= 'T',
 	OPT_INVALID		= '?',
 };
-#define OPTSTRING	"+hvcf:iI:jvnsNaeSupypt"
+#define OPTSTRING	"+hvcf:iI:jvnsNaeSupypT"
 
 static const struct option options[] = {
 	{
@@ -145,7 +145,7 @@ static void show_help(const char *name)
 "  -S, --service			Translate ports to service names as described in /etc/services.\n"
 "  -p, --numeric-protocol	Print layer 4 protocols numerically.\n"
 "  -y, --numeric-priority	Print chain priority numerically.\n"
-"  -t, --numeric-time		Print time values numerically.\n"
+"  -T, --numeric-time		Print time values numerically.\n"
 "  -a, --handle			Output rule handle.\n"
 "  -e, --echo			Echo what has been added, inserted or replaced.\n"
 "  -I, --includepath <directory>	Add <directory> to the paths searched for include files. Default is: %s\n"
-- 
2.23.0

[PATCH nft v3 2/2] src: add --terse to suppress output of set elements.

[Jeremy Sowden]

Listing an entire ruleset or a table with `nft list` prints the elements
of all set definitions within the ruleset or table.  Seeing the full set
contents is not often necessary especially when requesting to see
someone's ruleset for help and support purposes.  Add a new option '-t,
--terse' options to suppress the output of set contents.

Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1374
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 doc/libnftables.adoc           | 21 ++++++++++++---------
 doc/nft.txt                    |  4 ++++
 include/nftables.h             |  5 +++++
 include/nftables/libnftables.h |  1 +
 src/main.c                     | 11 ++++++++++-
 src/rule.c                     |  3 ++-
 6 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/doc/libnftables.adoc b/doc/libnftables.adoc
index ea9626afa101..8ce1196fd47e 100644
--- a/doc/libnftables.adoc
+++ b/doc/libnftables.adoc
@@ -80,16 +80,17 @@ The flags setting controls the output format.
 
 ----
 enum {
-        NFT_CTX_OUTPUT_REVERSEDNS  = (1 << 0),
-        NFT_CTX_OUTPUT_SERVICE     = (1 << 1),
-        NFT_CTX_OUTPUT_STATELESS   = (1 << 2),
-        NFT_CTX_OUTPUT_HANDLE      = (1 << 3),
-        NFT_CTX_OUTPUT_JSON        = (1 << 4),
-        NFT_CTX_OUTPUT_ECHO        = (1 << 5),
-        NFT_CTX_OUTPUT_GUID        = (1 << 6),
-        NFT_CTX_OUTPUT_NUMERIC_PROTO = (1 << 7),
-        NFT_CTX_OUTPUT_NUMERIC_PRIO = (1 << 8),
+        NFT_CTX_OUTPUT_REVERSEDNS     = (1 << 0),
+        NFT_CTX_OUTPUT_SERVICE        = (1 << 1),
+        NFT_CTX_OUTPUT_STATELESS      = (1 << 2),
+        NFT_CTX_OUTPUT_HANDLE         = (1 << 3),
+        NFT_CTX_OUTPUT_JSON           = (1 << 4),
+        NFT_CTX_OUTPUT_ECHO           = (1 << 5),
+        NFT_CTX_OUTPUT_GUID           = (1 << 6),
+        NFT_CTX_OUTPUT_NUMERIC_PROTO  = (1 << 7),
+        NFT_CTX_OUTPUT_NUMERIC_PRIO   = (1 << 8),
         NFT_CTX_OUTPUT_NUMERIC_SYMBOL = (1 << 9),
+        NFT_CTX_OUTPUT_TERSE          = (1 << 11),
 };
 ----
 
@@ -123,6 +124,8 @@ NFT_CTX_OUTPUT_NUMERIC_SYMBOL::
 	Display expression datatype as numeric value.
 NFT_CTX_OUTPUT_NUMERIC_ALL::
 	Display all numerically.
+NFT_CTX_OUTPUT_TERSE::
+	If terse output has been requested, then the contents of sets are not printed.
 
 The *nft_ctx_output_get_flags*() function returns the output flags setting's value in 'ctx'.
 
diff --git a/doc/nft.txt b/doc/nft.txt
index 616640a84c94..2c79009948a5 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -97,6 +97,10 @@ For a full summary of options, run *nft --help*.
 *--numeric-time*::
 	Show time, day and hour values in numeric format.
 
+*-t*::
+*--terse*::
+	Omit contents of sets from output.
+
 INPUT FILE FORMATS
 ------------------
 LEXICAL CONVENTIONS
diff --git a/include/nftables.h b/include/nftables.h
index 1ecf5ef5269c..21553c6bb3a5 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -90,6 +90,11 @@ static inline bool nft_output_numeric_symbol(const struct output_ctx *octx)
 	return octx->flags & NFT_CTX_OUTPUT_NUMERIC_SYMBOL;
 }
 
+static inline bool nft_output_terse(const struct output_ctx *octx)
+{
+	return octx->flags & NFT_CTX_OUTPUT_TERSE;
+}
+
 struct nft_cache {
 	uint32_t		genid;
 	struct list_head	list;
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index 7a7a46f3358a..765b20dd71ee 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -56,6 +56,7 @@ enum {
 	NFT_CTX_OUTPUT_NUMERIC_ALL	= (NFT_CTX_OUTPUT_NUMERIC_PROTO |
 					   NFT_CTX_OUTPUT_NUMERIC_PRIO |
 					   NFT_CTX_OUTPUT_NUMERIC_SYMBOL),
+	NFT_CTX_OUTPUT_TERSE		= (1 << 11),
 };
 
 unsigned int nft_ctx_output_get_flags(struct nft_ctx *ctx);
diff --git a/src/main.c b/src/main.c
index 238c5e0bf9ef..ebd6d7c322d7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -43,9 +43,10 @@ enum opt_vals {
 	OPT_NUMERIC_PRIO	= 'y',
 	OPT_NUMERIC_PROTO	= 'p',
 	OPT_NUMERIC_TIME	= 'T',
+	OPT_TERSE		= 't',
 	OPT_INVALID		= '?',
 };
-#define OPTSTRING	"+hvcf:iI:jvnsNaeSupypT"
+#define OPTSTRING	"+hvcf:iI:jvnsNaeSupypTt"
 
 static const struct option options[] = {
 	{
@@ -119,6 +120,10 @@ static const struct option options[] = {
 		.name		= "numeric-time",
 		.val		= OPT_NUMERIC_TIME,
 	},
+	{
+		.name		= "terse",
+		.val		= OPT_TERSE,
+	},
 	{
 		.name		= NULL
 	}
@@ -140,6 +145,7 @@ static void show_help(const char *name)
 "  -j, --json			Format output in JSON\n"
 "  -n, --numeric			Print fully numerical output.\n"
 "  -s, --stateless		Omit stateful information of ruleset.\n"
+"  -t, --terse			Omit contents of sets.\n"
 "  -u, --guid			Print UID/GID as defined in /etc/passwd and /etc/group.\n"
 "  -N				Translate IP addresses to names.\n"
 "  -S, --service			Translate ports to service names as described in /etc/services.\n"
@@ -301,6 +307,9 @@ int main(int argc, char * const *argv)
 		case OPT_NUMERIC_TIME:
 			output_flags |= NFT_CTX_OUTPUT_NUMERIC_TIME;
 			break;
+		case OPT_TERSE:
+			output_flags |= NFT_CTX_OUTPUT_TERSE;
+			break;
 		case OPT_INVALID:
 			exit(EXIT_FAILURE);
 		}
diff --git a/src/rule.c b/src/rule.c
index 55894cbdb766..64756bcee6b8 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -538,7 +538,8 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts,
 {
 	set_print_declaration(set, opts, octx);
 
-	if (set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) {
+	if ((set->flags & NFT_SET_EVAL && nft_output_stateless(octx)) ||
+	    nft_output_terse(octx)) {
 		nft_print(octx, "%s}%s", opts->tab, opts->nl);
 		return;
 	}
-- 
2.23.0

Re: [PATCH nft v3 0/2] Add option to omit sets elements from listings.

[Pablo Neira Ayuso]

On Mon, Oct 21, 2019 at 10:49:20PM +0100, Jeremy Sowden wrote:
> From https://bugzilla.netfilter.org/show_bug.cgi?id=1374:
> 
>   Listing an entire ruleset or a table with 'nft list ...' will also
>   print all elements of all set definitions within the ruleset or
>   requested table. Seeing the full set contents is not often necessary
>   especially when requesting to see someone's ruleset for help and
>   support purposes. It would be helpful if there was an option/flag for
>   the nft tool to suppress set contents when listing.
> 
> This patch series implements the request by adding a new option: `-t`,
> `--terse`.

Series applied, thanks Jeremy.

BTW, not your fault, but it seems libnftables documentation is missing
an update for the (1 << 10) flag.

Re: [PATCH nft v3 0/2] Add option to omit sets elements from listings.

[Jeremy Sowden]

[-- Attachment #1: Type: text/plain, Size: 3044 bytes --]

On 2019-10-22, at 09:41:56 +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 21, 2019 at 10:49:20PM +0100, Jeremy Sowden wrote:
> > From https://bugzilla.netfilter.org/show_bug.cgi?id=1374:
> >
> >   Listing an entire ruleset or a table with 'nft list ...' will also
> >   print all elements of all set definitions within the ruleset or
> >   requested table. Seeing the full set contents is not often
> >   necessary especially when requesting to see someone's ruleset for
> >   help and support purposes. It would be helpful if there was an
> >   option/flag for the nft tool to suppress set contents when
> >   listing.
> >
> > This patch series implements the request by adding a new option:
> > `-t`, `--terse`.
>
> Series applied, thanks Jeremy.

Cheers.

While I was testing this, I noticed what appears to be an error in the
documentation.  From the man-page:

  SET STATEMENT
    The set statement is used to dynamically add or update elements in a
    set from the packet path. The set setname must already exist in the
    given table and must have been created with the dynamic flag.
    Furthermore, these sets must specify both a maximum set size (to
    prevent memory exhaustion) and a timeout (so that number of entries
    in set will not grow indefinitely). The set statement can be used to
    e.g. create dynamic blacklists.

In the following example it then defines a set as follows:

  nft add set ip filter blackhole \
    { type ipv4_addr; flags timeout; size 65536; }

There is no `dynamic` flag.  In my testing, I also omitted the `dynamic`
flag by accident, and inadvertently verified that it is indeed not neces-
sary.  AFAICT, from a far from thorough investigation, it (or rather
`NFT_SET_EVAL`) is only meaningful for the anonymous sets implicitly
created by meter definitions such as this from the same example:

  nft add rule ip filter input tcp flags syn tcp dport ssh \
    meter flood size 128000 \
    { ip saddr timeout 10s limit rate over 10/second } \
    add @blackhole { ip saddr timeout 1m } drop

Another related quirk (I've used the arp family in this example 'cause
it's empty on my dev box):

  # nft add table arp t
  # nft add set arp t s \
  > '{ type ipv4_addr ; size 256 ; flags dynamic,timeout; }'
  # nft list sets table arp t
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }
  # nft list meters arp
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }
  # nft list meter arp t s
  Error: No such file or directory
  list meter arp t s
                   ^
  # nft list set arp t s
  table arp t {
          set s {
                  type ipv4_addr
                  size 256
                  flags dynamic,timeout
          }
  }

> BTW, not your fault, but it seems libnftables documentation is missing
> an update for the (1 << 10) flag.

Yes, I noticed that.  I'll go back and fix it.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]