[PATCH nft v2 00/18] introducing libnftables

[PATCH nft v2 00/18] introducing libnftables

[Eric Leblond]

Hello,

This patchset is the second version of libnftables introduction patchset.
It addresses some remarks by Phil Sutter. Other remarks as said on the ML
are in fact TODO points that can be adressed later.

This patchset also fixes issues with error handling and adds documentation
in doxygen format. An output is available here if you wanna have a look:
 http://home.regit.org/~regit/libnftables/html/group__libnftables.html

The first two patches are a bugfix and a helper function that is needed
for the library:
 * [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk
 * [PATH nft v2 02/18] erec: add function to free list

As mentioned by Arturo, this is not meant to be added into nftables v0.8 but
it is a good candidate for early introduction in the branch as soon as the
v0.8 release is done. 

I did not managed to incorporate some suggestions done privately by Pablo. For
instance there is an nf_sock in the struct nft_ctx. I did not change any
existing internal so it is still possible to do it as incremental patches.

BR,
--
Eric

[PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk

[Eric Leblond]

If one of the command is failing we should return an error.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/mnl.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index b0f5191..661ecbc 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -245,6 +245,7 @@ static ssize_t mnl_nft_socket_sendmsg(const struct mnl_socket *nl,
 
 int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 {
+	int rc = 0;
 	struct mnl_socket *nl = ctx->nf_sock;
 	int ret, fd = mnl_socket_get_fd(nl), portid = mnl_socket_get_portid(nl);
 	char rcv_buf[MNL_SOCKET_BUFFER_SIZE];
@@ -275,8 +276,10 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 
 		ret = mnl_cb_run(rcv_buf, ret, 0, portid, &netlink_echo_callback, ctx);
 		/* Continue on error, make sure we get all acknowledgments */
-		if (ret == -1)
+		if (ret == -1) {
 			mnl_err_list_node_add(err_list, errno, nlh->nlmsg_seq);
+			rc = -1;
+		}
 
 		ret = select(fd+1, &readfds, NULL, NULL, &tv);
 		if (ret == -1)
@@ -285,7 +288,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 		FD_ZERO(&readfds);
 		FD_SET(fd, &readfds);
 	}
-	return ret;
+	return rc;
 }
 
 int mnl_nft_rule_batch_add(struct nftnl_rule *nlr, struct nftnl_batch *batch,
-- 
2.14.1

[PATH nft v2 02/18] erec: add function to free list

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/erec.h |  1 +
 src/erec.c     | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/include/erec.h b/include/erec.h
index 36e0efa..befc274 100644
--- a/include/erec.h
+++ b/include/erec.h
@@ -60,6 +60,7 @@ static inline void erec_queue(struct error_record *erec,
 
 extern void erec_print(FILE *f, const struct error_record *erec);
 extern void erec_print_list(FILE *f, struct list_head *list);
+void erec_free_list(struct list_head *list);
 
 struct eval_ctx;
 
diff --git a/src/erec.c b/src/erec.c
index 439add9..f454d34 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -213,6 +213,16 @@ void erec_print_list(FILE *f, struct list_head *list)
 	}
 }
 
+void erec_free_list(struct list_head *list)
+{
+	struct error_record *erec, *next;
+
+	list_for_each_entry_safe(erec, next, list, list) {
+		list_del(&erec->list);
+		erec_destroy(erec);
+	}
+}
+
 int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx,
 					  const struct location *l1,
 					  const struct location *l2,
-- 
2.14.1

[PATH nft v2 03/18] libnftables: introduce library

[Eric Leblond]

Add global init and deinit functions.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 configure.ac                 |  4 ++++
 include/Makefile.am          |  2 +-
 include/nftables/Makefile.am |  2 ++
 include/nftables/nftables.h  | 20 +++++++++++++++++
 src/Makefile.am              | 26 +++++++++++++---------
 src/libnftables.c            | 53 ++++++++++++++++++++++++++++++++++++++++++++
 src/main.c                   | 27 +++-------------------
 7 files changed, 99 insertions(+), 35 deletions(-)
 create mode 100644 include/nftables/Makefile.am
 create mode 100644 include/nftables/nftables.h
 create mode 100644 src/libnftables.c

diff --git a/configure.ac b/configure.ac
index bef6c0b..91273ce 100644
--- a/configure.ac
+++ b/configure.ac
@@ -56,6 +56,9 @@ then
         exit 1
 fi
 
+AM_PROG_AR
+AM_PROG_LIBTOOL
+
 AC_CHECK_PROG(DOCBOOK2X_MAN, [docbook2x-man], [docbook2x-man], [no])
 AC_CHECK_PROG(DOCBOOK2MAN, [docbook2man], [docbook2man], [no])
 AC_CHECK_PROG(DB2X_DOCBOOK2MAN, [db2x_docbook2man], [db2x_docbook2man], [no])
@@ -146,6 +149,7 @@ AC_CONFIG_FILES([					\
 		include/linux/netfilter_bridge/Makefile	\
 		include/linux/netfilter_ipv4/Makefile	\
 		include/linux/netfilter_ipv6/Makefile	\
+		include/nftables/Makefile		\
 		doc/Makefile				\
 		files/Makefile				\
 		files/nftables/Makefile			\
diff --git a/include/Makefile.am b/include/Makefile.am
index 5dd73d8..caa6961 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = linux
+SUBDIRS = linux nftables
 
 noinst_HEADERS = 	cli.h		\
 			datatype.h	\
diff --git a/include/nftables/Makefile.am b/include/nftables/Makefile.am
new file mode 100644
index 0000000..a14b188
--- /dev/null
+++ b/include/nftables/Makefile.am
@@ -0,0 +1,2 @@
+pkginclude_HEADERS =	nftables.h
+
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
new file mode 100644
index 0000000..4ba16f0
--- /dev/null
+++ b/include/nftables/nftables.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2017 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#ifndef LIB_NFTABLES_H
+#define LIB_NFTABLES_H
+
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+void nft_global_init(void);
+void nft_global_deinit(void);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index 99eef7b..a340d39 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -27,8 +27,9 @@ parser_bison.o scanner.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-decl
 
 BUILT_SOURCES = parser_bison.h
 
-nft_SOURCES =	main.c				\
-		rule.c				\
+lib_LTLIBRARIES = libnftables.la
+
+libnftables_la_SOURCES =	rule.c				\
 		statement.c			\
 		datatype.c			\
 		expression.c			\
@@ -54,23 +55,28 @@ nft_SOURCES =	main.c				\
 		iface.c				\
 		services.c			\
 		mergesort.c			\
+		libnftables.c			\
 		scanner.l			\
 		tcpopt.c			\
 		parser_bison.y
 
-if BUILD_CLI
-nft_SOURCES +=	cli.c
-endif
-
 if BUILD_MINIGMP
 mini-gmp.o: AM_CFLAGS += -Wno-sign-compare
 
-nft_SOURCES +=	mini-gmp.c
+libnftables_la_SOURCES +=	mini-gmp.c
 endif
 
-nft_LDADD	= ${LIBMNL_LIBS} ${LIBNFTNL_LIBS}
+nft_SOURCES = main.c
+
+if BUILD_CLI
+nft_SOURCES +=	cli.c
+endif
+
+libnftables_la_LIBADD	= ${LIBMNL_LIBS} ${LIBNFTNL_LIBS}
 
 if BUILD_XTABLES
-nft_SOURCES +=	xt.c
-nft_LDADD   +=  ${XTABLES_LIBS}
+libnftables_la_SOURCES  +=	xt.c
+libnftables_la_LIBADD   +=  ${XTABLES_LIBS}
 endif
+
+nft_LDADD		= libnftables.la
diff --git a/src/libnftables.c b/src/libnftables.c
new file mode 100644
index 0000000..215179a
--- /dev/null
+++ b/src/libnftables.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2017 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <nftables/nftables.h>
+#include <string.h>
+#include <errno.h>
+#include <nftables.h>
+#include <parser.h>
+#include <iface.h>
+#include <netlink.h>
+#include <erec.h>
+#include <libmnl/libmnl.h>
+#include <mnl.h>
+
+#include <unistd.h>
+#include <fcntl.h>
+
+
+unsigned int max_errors = 10;
+unsigned int numeric_output;
+unsigned int ip2name_output;
+unsigned int handle_output;
+#ifdef DEBUG
+unsigned int debug_level;
+#endif
+
+void nft_global_init(void)
+{
+	mark_table_init();
+	realm_table_rt_init();
+	devgroup_table_init();
+	realm_table_meta_init();
+	ct_label_table_init();
+	gmp_init();
+#ifdef HAVE_LIBXTABLES
+	xt_init();
+#endif
+}
+
+void nft_global_deinit(void)
+{
+	ct_label_table_exit();
+	realm_table_rt_exit();
+	devgroup_table_exit();
+	realm_table_meta_exit();
+	mark_table_exit();
+}
diff --git a/src/main.c b/src/main.c
index 8883959..dde3104 100644
--- a/src/main.c
+++ b/src/main.c
@@ -18,6 +18,7 @@
 #include <fcntl.h>
 #include <sys/types.h>
 
+#include <nftables/nftables.h>
 #include <nftables.h>
 #include <utils.h>
 #include <parser.h>
@@ -272,28 +273,6 @@ err1:
 	return ret;
 }
 
-void nft_init(void)
-{
-	mark_table_init();
-	realm_table_rt_init();
-	devgroup_table_init();
-	realm_table_meta_init();
-	ct_label_table_init();
-	gmp_init();
-#ifdef HAVE_LIBXTABLES
-	xt_init();
-#endif
-}
-
-void nft_exit(void)
-{
-	ct_label_table_exit();
-	realm_table_rt_exit();
-	devgroup_table_exit();
-	realm_table_meta_exit();
-	mark_table_exit();
-}
-
 int main(int argc, char * const *argv)
 {
 	struct parser_state state;
@@ -309,7 +288,7 @@ int main(int argc, char * const *argv)
 	memset(&cache, 0, sizeof(cache));
 	init_list_head(&cache.list);
 
-	nft_init();
+	nft_global_init();
 	nf_sock = netlink_open_sock();
 	while (1) {
 		val = getopt_long(argc, argv, OPTSTRING, options, NULL);
@@ -440,7 +419,7 @@ out:
 	cache_release(&cache);
 	iface_cache_release();
 	netlink_close_sock(nf_sock);
-	nft_exit();
+	nft_global_deinit();
 
 	return rc;
 }
-- 
2.14.1

[PATH nft v2 04/18] libnftables: add context new and free

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables.h          |  1 +
 include/nftables/nftables.h |  3 +++
 src/libnftables.c           | 20 ++++++++++++++++++++
 src/main.c                  | 29 ++++++++++++++---------------
 4 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/include/nftables.h b/include/nftables.h
index a457aba..717af37 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -35,6 +35,7 @@ struct output_ctx {
 struct nft_ctx {
 	struct output_ctx	output;
 	bool			check;
+	struct mnl_socket	*nf_sock;
 };
 
 struct nft_cache {
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 4ba16f0..cfa60fe 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -17,4 +17,7 @@
 void nft_global_init(void);
 void nft_global_deinit(void);
 
+struct nft_ctx *nft_context_new(void);
+void nft_context_free(struct nft_ctx *nft);
+
 #endif
diff --git a/src/libnftables.c b/src/libnftables.c
index 215179a..6756c0f 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -51,3 +51,23 @@ void nft_global_deinit(void)
 	realm_table_meta_exit();
 	mark_table_exit();
 }
+
+struct nft_ctx *nft_context_new(void)
+{
+	struct nft_ctx *ctx = NULL;
+	ctx = calloc(1, sizeof(struct nft_ctx));
+	if (ctx == NULL)
+		return NULL;
+	ctx->nf_sock = netlink_open_sock();
+
+	return ctx;
+}
+
+
+void nft_context_free(struct nft_ctx *nft)
+{
+	if (nft == NULL)
+		return;
+	netlink_close_sock(nft->nf_sock);
+	xfree(nft);
+}
diff --git a/src/main.c b/src/main.c
index dde3104..ee5566c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -29,7 +29,6 @@
 #include <iface.h>
 #include <cli.h>
 
-static struct nft_ctx nft;
 unsigned int max_errors = 10;
 #ifdef DEBUG
 unsigned int debug_level;
@@ -283,13 +282,13 @@ int main(int argc, char * const *argv)
 	unsigned int len;
 	bool interactive = false;
 	int i, val, rc = NFT_EXIT_SUCCESS;
-	struct mnl_socket *nf_sock;
+	struct nft_ctx *nft;
 
 	memset(&cache, 0, sizeof(cache));
 	init_list_head(&cache.list);
 
 	nft_global_init();
-	nf_sock = netlink_open_sock();
+	nft = nft_context_new();
 	while (1) {
 		val = getopt_long(argc, argv, OPTSTRING, options, NULL);
 		if (val == -1)
@@ -304,7 +303,7 @@ int main(int argc, char * const *argv)
 			       PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
 			exit(NFT_EXIT_SUCCESS);
 		case OPT_CHECK:
-			nft.check = true;
+			nft->check = true;
 			break;
 		case OPT_FILE:
 			filename = optarg;
@@ -322,7 +321,7 @@ int main(int argc, char * const *argv)
 			include_paths[num_include_paths++] = optarg;
 			break;
 		case OPT_NUMERIC:
-			if (++nft.output.numeric > NUMERIC_ALL) {
+			if (++nft->output.numeric > NUMERIC_ALL) {
 				fprintf(stderr, "Too many numeric options "
 						"used, max. %u\n",
 					NUMERIC_ALL);
@@ -330,10 +329,10 @@ int main(int argc, char * const *argv)
 			}
 			break;
 		case OPT_STATELESS:
-			nft.output.stateless++;
+			nft->output.stateless++;
 			break;
 		case OPT_IP2NAME:
-			nft.output.ip2name++;
+			nft->output.ip2name++;
 			break;
 #ifdef DEBUG
 		case OPT_DEBUG:
@@ -365,10 +364,10 @@ int main(int argc, char * const *argv)
 			break;
 #endif
 		case OPT_HANDLE_OUTPUT:
-			nft.output.handle++;
+			nft->output.handle++;
 			break;
 		case OPT_ECHO:
-			nft.output.echo++;
+			nft->output.echo++;
 			break;
 		case OPT_INVALID:
 			exit(NFT_EXIT_FAILURE);
@@ -386,20 +385,20 @@ int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		parser_init(nf_sock, &cache, &state, &msgs);
+		parser_init(nft->nf_sock, &cache, &state, &msgs);
 		scanner = scanner_init(&state);
 		scanner_push_buffer(scanner, &indesc_cmdline, buf);
 	} else if (filename != NULL) {
-		rc = cache_update(nf_sock, &cache, CMD_INVALID, &msgs);
+		rc = cache_update(nft->nf_sock, &cache, CMD_INVALID, &msgs);
 		if (rc < 0)
 			return rc;
 
-		parser_init(nf_sock, &cache, &state, &msgs);
+		parser_init(nft->nf_sock, &cache, &state, &msgs);
 		scanner = scanner_init(&state);
 		if (scanner_read_file(scanner, filename, &internal_location) < 0)
 			goto out;
 	} else if (interactive) {
-		if (cli_init(&nft, nf_sock, &cache, &state) < 0) {
+		if (cli_init(nft, nft->nf_sock, &cache, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
 				argv[0]);
 			exit(NFT_EXIT_FAILURE);
@@ -410,7 +409,7 @@ int main(int argc, char * const *argv)
 		exit(NFT_EXIT_FAILURE);
 	}
 
-	if (nft_run(&nft, nf_sock, &cache, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nft->nf_sock, &cache, scanner, &state, &msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 out:
 	scanner_destroy(scanner);
@@ -418,7 +417,7 @@ out:
 	xfree(buf);
 	cache_release(&cache);
 	iface_cache_release();
-	netlink_close_sock(nf_sock);
+	nft_context_free(nft);
 	nft_global_deinit();
 
 	return rc;
-- 
2.14.1

[PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables/nftables.h |  3 +++
 src/libnftables.c           | 26 +++++++++++++++++++++++++-
 src/main.c                  | 19 ++++++++-----------
 3 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index cfa60fe..63150ba 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -20,4 +20,7 @@ void nft_global_deinit(void);
 struct nft_ctx *nft_context_new(void);
 void nft_context_free(struct nft_ctx *nft);
 
+int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
+				char *buf, size_t buflen);
+
 #endif
diff --git a/src/libnftables.c b/src/libnftables.c
index 6756c0f..9701660 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -7,7 +7,6 @@
  *
  */
 
-#include <nftables/nftables.h>
 #include <string.h>
 #include <errno.h>
 #include <nftables.h>
@@ -18,6 +17,8 @@
 #include <libmnl/libmnl.h>
 #include <mnl.h>
 
+#include <nftables/nftables.h>
+
 #include <unistd.h>
 #include <fcntl.h>
 
@@ -71,3 +72,26 @@ void nft_context_free(struct nft_ctx *nft)
 	netlink_close_sock(nft->nf_sock);
 	xfree(nft);
 }
+
+static const struct input_descriptor indesc_cmdline = {
+	.type	= INDESC_BUFFER,
+	.name	= "<cmdline>",
+};
+
+int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
+				char *buf, size_t buflen)
+{
+	int rc = NFT_EXIT_SUCCESS;
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+
+	parser_init(nft->nf_sock, cache, &state, &msgs);
+	scanner = scanner_init(&state);
+	scanner_push_buffer(scanner, &indesc_cmdline, buf);
+		
+	if (nft_run(nft, nft->nf_sock, cache, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+
+	return rc;
+}
diff --git a/src/main.c b/src/main.c
index ee5566c..f863dec 100644
--- a/src/main.c
+++ b/src/main.c
@@ -18,8 +18,8 @@
 #include <fcntl.h>
 #include <sys/types.h>
 
-#include <nftables/nftables.h>
 #include <nftables.h>
+#include <nftables/nftables.h>
 #include <utils.h>
 #include <parser.h>
 #include <rule.h>
@@ -182,11 +182,6 @@ static const struct {
 };
 #endif
 
-static const struct input_descriptor indesc_cmdline = {
-	.type	= INDESC_BUFFER,
-	.name	= "<cmdline>",
-};
-
 static int nft_netlink(struct nft_ctx *nft, struct nft_cache *cache,
 		       struct parser_state *state, struct list_head *msgs,
 		       struct mnl_socket *nf_sock)
@@ -385,9 +380,10 @@ int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		parser_init(nft->nf_sock, &cache, &state, &msgs);
-		scanner = scanner_init(&state);
-		scanner_push_buffer(scanner, &indesc_cmdline, buf);
+		rc = nft_run_command_from_buffer(nft, &cache, buf, len + 2);
+		if (rc < 0)
+			return rc;
+		goto libout;
 	} else if (filename != NULL) {
 		rc = cache_update(nft->nf_sock, &cache, CMD_INVALID, &msgs);
 		if (rc < 0)
@@ -397,6 +393,8 @@ int main(int argc, char * const *argv)
 		scanner = scanner_init(&state);
 		if (scanner_read_file(scanner, filename, &internal_location) < 0)
 			goto out;
+		if (nft_run(nft, nft->nf_sock, &cache, scanner, &state, &msgs) != 0)
+			rc = NFT_EXIT_FAILURE;
 	} else if (interactive) {
 		if (cli_init(nft, nft->nf_sock, &cache, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
@@ -409,11 +407,10 @@ int main(int argc, char * const *argv)
 		exit(NFT_EXIT_FAILURE);
 	}
 
-	if (nft_run(nft, nft->nf_sock, &cache, scanner, &state, &msgs) != 0)
-		rc = NFT_EXIT_FAILURE;
 out:
 	scanner_destroy(scanner);
 	erec_print_list(stderr, &msgs);
+libout:
 	xfree(buf);
 	cache_release(&cache);
 	iface_cache_release();
-- 
2.14.1

[PATH nft v2 06/18] libnftables: add nft_run_command_from_filename

[Eric Leblond]

Add new function to read nftables command from a file

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables/nftables.h |  2 ++
 src/libnftables.c           | 25 +++++++++++++++++++++++++
 src/main.c                  | 16 +++-------------
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 63150ba..980c6ec 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -22,5 +22,7 @@ void nft_context_free(struct nft_ctx *nft);
 
 int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
 				char *buf, size_t buflen);
+int nft_run_command_from_filename(struct nft_ctx *nft, struct nft_cache *cache,
+				  const char *filename);
 
 #endif
diff --git a/src/libnftables.c b/src/libnftables.c
index 9701660..a487a87 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -93,5 +93,30 @@ int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
 	if (nft_run(nft, nft->nf_sock, cache, scanner, &state, &msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs);
+	return rc;
+}
+
+int nft_run_command_from_filename(struct nft_ctx *nft, struct nft_cache *cache,
+				  const char *filename)
+{
+	int rc = NFT_EXIT_SUCCESS;
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+
+	rc = cache_update(nft->nf_sock, cache, CMD_INVALID, &msgs);
+	if (rc < 0)
+		return rc;
+	parser_init(nft->nf_sock, cache, &state, &msgs);
+	scanner = scanner_init(&state);
+	if (scanner_read_file(scanner, filename, &internal_location) < 0)
+		return NFT_EXIT_FAILURE;
+	if (nft_run(nft, nft->nf_sock, cache, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs);
 	return rc;
 }
diff --git a/src/main.c b/src/main.c
index f863dec..658988d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -271,7 +271,6 @@ int main(int argc, char * const *argv)
 {
 	struct parser_state state;
 	struct nft_cache cache;
-	void *scanner;
 	LIST_HEAD(msgs);
 	char *buf = NULL, *filename = NULL;
 	unsigned int len;
@@ -383,18 +382,12 @@ int main(int argc, char * const *argv)
 		rc = nft_run_command_from_buffer(nft, &cache, buf, len + 2);
 		if (rc < 0)
 			return rc;
-		goto libout;
+		goto out;
 	} else if (filename != NULL) {
-		rc = cache_update(nft->nf_sock, &cache, CMD_INVALID, &msgs);
+		rc = nft_run_command_from_filename(nft, &cache, filename);
 		if (rc < 0)
 			return rc;
-
-		parser_init(nft->nf_sock, &cache, &state, &msgs);
-		scanner = scanner_init(&state);
-		if (scanner_read_file(scanner, filename, &internal_location) < 0)
-			goto out;
-		if (nft_run(nft, nft->nf_sock, &cache, scanner, &state, &msgs) != 0)
-			rc = NFT_EXIT_FAILURE;
+		goto out;
 	} else if (interactive) {
 		if (cli_init(nft, nft->nf_sock, &cache, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
@@ -408,9 +401,6 @@ int main(int argc, char * const *argv)
 	}
 
 out:
-	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs);
-libout:
 	xfree(buf);
 	cache_release(&cache);
 	iface_cache_release();
-- 
2.14.1

[PATH nft v2 07/18] libnftables: put nft_run in library

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables.h        |   4 --
 include/nftables_common.h |  18 ++++++++
 src/Makefile.am           |   1 +
 src/cli.c                 |   1 +
 src/libnftables.c         |   2 +
 src/main.c                |  85 -------------------------------------
 src/nftables_common.c     | 104 ++++++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 126 insertions(+), 89 deletions(-)
 create mode 100644 include/nftables_common.h
 create mode 100644 src/nftables_common.c

diff --git a/include/nftables.h b/include/nftables.h
index 717af37..c2bb7d8 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -124,10 +124,6 @@ struct input_descriptor {
 struct parser_state;
 struct mnl_socket;
 
-int nft_run(struct nft_ctx *nft, struct mnl_socket *nf_sock,
-	    struct nft_cache *cache, void *scanner, struct parser_state *state,
-	    struct list_head *msgs);
-
 void ct_label_table_init(void);
 void mark_table_init(void);
 void gmp_init(void);
diff --git a/include/nftables_common.h b/include/nftables_common.h
new file mode 100644
index 0000000..c3f54a5
--- /dev/null
+++ b/include/nftables_common.h
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 2017 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+
+#ifndef NFTABLES_NFTABLES_COMMON_H
+#define NFTABLES_NFTABLES_COMMON_H
+
+int nft_run(struct nft_ctx *nft, struct mnl_socket *nf_sock,
+	    struct nft_cache *cache, void *scanner, struct parser_state *state,
+	    struct list_head *msgs);
+
+#endif
diff --git a/src/Makefile.am b/src/Makefile.am
index a340d39..cddd3a2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,6 +58,7 @@ libnftables_la_SOURCES =	rule.c				\
 		libnftables.c			\
 		scanner.l			\
 		tcpopt.c			\
+		nftables_common.c		\
 		parser_bison.y
 
 if BUILD_MINIGMP
diff --git a/src/cli.c b/src/cli.c
index a50fc58..7501b29 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -30,6 +30,7 @@
 #include <utils.h>
 #include <iface.h>
 #include <cli.h>
+#include <nftables_common.h>
 
 #include <libmnl/libmnl.h>
 
diff --git a/src/libnftables.c b/src/libnftables.c
index a487a87..446ec1e 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -16,6 +16,8 @@
 #include <erec.h>
 #include <libmnl/libmnl.h>
 #include <mnl.h>
+#include <netlink.h>
+#include <nftables_common.h>
 
 #include <nftables/nftables.h>
 
diff --git a/src/main.c b/src/main.c
index 658988d..9b4e450 100644
--- a/src/main.c
+++ b/src/main.c
@@ -182,91 +182,6 @@ static const struct {
 };
 #endif
 
-static int nft_netlink(struct nft_ctx *nft, struct nft_cache *cache,
-		       struct parser_state *state, struct list_head *msgs,
-		       struct mnl_socket *nf_sock)
-{
-	uint32_t batch_seqnum, seqnum = 0;
-	struct nftnl_batch *batch;
-	struct netlink_ctx ctx;
-	struct cmd *cmd;
-	struct mnl_err *err, *tmp;
-	LIST_HEAD(err_list);
-	bool batch_supported = netlink_batch_supported(nf_sock, &seqnum);
-	int ret = 0;
-
-	batch = mnl_batch_init();
-
-	batch_seqnum = mnl_batch_begin(batch, mnl_seqnum_alloc(&seqnum));
-	list_for_each_entry(cmd, &state->cmds, list) {
-		memset(&ctx, 0, sizeof(ctx));
-		ctx.msgs = msgs;
-		ctx.seqnum = cmd->seqnum = mnl_seqnum_alloc(&seqnum);
-		ctx.batch = batch;
-		ctx.batch_supported = batch_supported;
-		ctx.octx = &nft->output;
-		ctx.nf_sock = nf_sock;
-		ctx.cache = cache;
-		init_list_head(&ctx.list);
-		ret = do_command(&ctx, cmd);
-		if (ret < 0)
-			goto out;
-	}
-	if (!nft->check)
-		mnl_batch_end(batch, mnl_seqnum_alloc(&seqnum));
-
-	if (!mnl_batch_ready(batch))
-		goto out;
-
-	ret = netlink_batch_send(&ctx, &err_list);
-
-	list_for_each_entry_safe(err, tmp, &err_list, head) {
-		list_for_each_entry(cmd, &state->cmds, list) {
-			if (err->seqnum == cmd->seqnum ||
-			    err->seqnum == batch_seqnum) {
-				netlink_io_error(&ctx, &cmd->location,
-						 "Could not process rule: %s",
-						 strerror(err->err));
-				ret = -1;
-				errno = err->err;
-				if (err->seqnum == cmd->seqnum) {
-					mnl_err_list_free(err);
-					break;
-				}
-			}
-		}
-	}
-out:
-	mnl_batch_reset(batch);
-	return ret;
-}
-
-int nft_run(struct nft_ctx *nft, struct mnl_socket *nf_sock,
-	    struct nft_cache *cache, void *scanner, struct parser_state *state,
-	    struct list_head *msgs)
-{
-	struct cmd *cmd, *next;
-	int ret;
-
-	ret = nft_parse(scanner, state);
-	if (ret != 0 || state->nerrs > 0) {
-		ret = -1;
-		goto err1;
-	}
-
-	list_for_each_entry(cmd, &state->cmds, list)
-		nft_cmd_expand(cmd);
-
-	ret = nft_netlink(nft, cache, state, msgs, nf_sock);
-err1:
-	list_for_each_entry_safe(cmd, next, &state->cmds, list) {
-		list_del(&cmd->list);
-		cmd_free(cmd);
-	}
-
-	return ret;
-}
-
 int main(int argc, char * const *argv)
 {
 	struct parser_state state;
diff --git a/src/nftables_common.c b/src/nftables_common.c
new file mode 100644
index 0000000..4ae9f3e
--- /dev/null
+++ b/src/nftables_common.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 2017 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <string.h>
+#include <errno.h>
+
+#include <nftables.h>
+#include <nftables_common.h>
+#include <netlink.h>
+#include <parser.h>
+#include <mnl.h>
+
+static int nft_netlink(struct nft_ctx *nft, struct nft_cache *cache,
+		       struct parser_state *state, struct list_head *msgs,
+		       struct mnl_socket *nf_sock)
+{
+	uint32_t batch_seqnum, seqnum = 0;
+	struct nftnl_batch *batch;
+	struct netlink_ctx ctx;
+	struct cmd *cmd;
+	struct mnl_err *err, *tmp;
+	LIST_HEAD(err_list);
+	bool batch_supported = netlink_batch_supported(nf_sock, &seqnum);
+	int ret = 0;
+
+	batch = mnl_batch_init();
+
+	batch_seqnum = mnl_batch_begin(batch, mnl_seqnum_alloc(&seqnum));
+	list_for_each_entry(cmd, &state->cmds, list) {
+		memset(&ctx, 0, sizeof(ctx));
+		ctx.msgs = msgs;
+		ctx.seqnum = cmd->seqnum = mnl_seqnum_alloc(&seqnum);
+		ctx.batch = batch;
+		ctx.batch_supported = batch_supported;
+		ctx.octx = &nft->output;
+		ctx.nf_sock = nf_sock;
+		ctx.cache = cache;
+		init_list_head(&ctx.list);
+		ret = do_command(&ctx, cmd);
+		if (ret < 0)
+			goto out;
+	}
+	if (!nft->check)
+		mnl_batch_end(batch, mnl_seqnum_alloc(&seqnum));
+
+	if (!mnl_batch_ready(batch))
+		goto out;
+
+	ret = netlink_batch_send(&ctx, &err_list);
+
+	list_for_each_entry_safe(err, tmp, &err_list, head) {
+		list_for_each_entry(cmd, &state->cmds, list) {
+			if (err->seqnum == cmd->seqnum ||
+			    err->seqnum == batch_seqnum) {
+				netlink_io_error(&ctx, &cmd->location,
+						 "Could not process rule: %s",
+						 strerror(err->err));
+				ret = -1;
+				errno = err->err;
+				if (err->seqnum == cmd->seqnum) {
+					mnl_err_list_free(err);
+					break;
+				}
+			}
+		}
+	}
+out:
+	mnl_batch_reset(batch);
+	return ret;
+}
+
+int nft_run(struct nft_ctx *nft, struct mnl_socket *nf_sock,
+	    struct nft_cache *cache, void *scanner, struct parser_state *state,
+	    struct list_head *msgs)
+{
+	struct cmd *cmd, *next;
+	int ret;
+
+	ret = nft_parse(scanner, state);
+	if (ret != 0 || state->nerrs > 0) {
+		ret = -1;
+		goto err1;
+	}
+
+	list_for_each_entry(cmd, &state->cmds, list)
+		nft_cmd_expand(cmd);
+
+	ret = nft_netlink(nft, cache, state, msgs, nf_sock);
+err1:
+	list_for_each_entry_safe(cmd, next, &state->cmds, list) {
+		list_del(&cmd->list);
+		cmd_free(cmd);
+	}
+
+	return ret;
+}
+
+
-- 
2.14.1

[PATH nft v2 08/18] libnftables: add missing variables to library

[Eric Leblond]

This patch also avoids double definition of global vars.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/libnftables.c | 2 ++
 src/main.c        | 6 ------
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index 446ec1e..28f9272 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -33,6 +33,8 @@ unsigned int handle_output;
 unsigned int debug_level;
 #endif
 
+const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
+
 void nft_global_init(void)
 {
 	mark_table_init();
diff --git a/src/main.c b/src/main.c
index 9b4e450..7ab01b7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -29,12 +29,6 @@
 #include <iface.h>
 #include <cli.h>
 
-unsigned int max_errors = 10;
-#ifdef DEBUG
-unsigned int debug_level;
-#endif
-
-const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
 static unsigned int num_include_paths = 1;
 
 enum opt_vals {
-- 
2.14.1

[PATH nft v2 09/18] libnftables: add NFT_EXIT_* to library

[Eric Leblond]

So it can be used by client to check function return.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables.h          | 7 -------
 include/nftables/nftables.h | 7 +++++++
 src/netlink.c               | 1 +
 src/utils.c                 | 1 +
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/include/nftables.h b/include/nftables.h
index c2bb7d8..aad204e 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -48,13 +48,6 @@ extern unsigned int max_errors;
 extern unsigned int debug_level;
 extern const char *include_paths[INCLUDE_PATHS_MAX];
 
-enum nftables_exit_codes {
-	NFT_EXIT_SUCCESS	= 0,
-	NFT_EXIT_FAILURE	= 1,
-	NFT_EXIT_NOMEM		= 2,
-	NFT_EXIT_NONL		= 3,
-};
-
 struct input_descriptor;
 struct location {
 	const struct input_descriptor		*indesc;
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 980c6ec..20a062c 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -14,6 +14,13 @@
 #include <stdint.h>
 #include <stdbool.h>
 
+enum nftables_exit_codes {
+	NFT_EXIT_SUCCESS	= 0,
+	NFT_EXIT_FAILURE	= 1,
+	NFT_EXIT_NOMEM		= 2,
+	NFT_EXIT_NONL		= 3,
+};
+
 void nft_global_init(void);
 void nft_global_deinit(void);
 
diff --git a/src/netlink.c b/src/netlink.c
index 7311149..ea5d9b1 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -30,6 +30,7 @@
 #include <linux/netfilter.h>
 
 #include <nftables.h>
+#include <nftables/nftables.h>
 #include <netlink.h>
 #include <mnl.h>
 #include <expression.h>
diff --git a/src/utils.c b/src/utils.c
index 47f5b79..aace563 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -16,6 +16,7 @@
 #include <string.h>
 
 #include <nftables.h>
+#include <nftables/nftables.h>
 #include <utils.h>
 
 void __noreturn __memory_allocation_error(const char *filename, uint32_t line)
-- 
2.14.1

[PATH nft v2 10/18] libnftables: add a nft_cache to nft_ctx

[Eric Leblond]

Hide this structure from the user, this allows simplify the simple
functions by just providing easy and meaningfull arguments.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/cli.h               |  2 +-
 include/nftables.h          | 13 +++++++------
 include/nftables/nftables.h |  5 ++---
 src/cli.c                   | 10 ++++++++--
 src/libnftables.c           | 19 +++++++++++--------
 src/main.c                  | 11 +++--------
 6 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/include/cli.h b/include/cli.h
index e577400..899c8a6 100644
--- a/include/cli.h
+++ b/include/cli.h
@@ -6,7 +6,7 @@
 struct parser_state;
 #ifdef HAVE_LIBREADLINE
 extern int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
-		    struct nft_cache *cache, struct parser_state *state);
+		    struct parser_state *state);
 #else
 static inline int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
 			   struct nft_cache *cache, struct parser_state *state)
diff --git a/include/nftables.h b/include/nftables.h
index aad204e..348fbb0 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -32,18 +32,19 @@ struct output_ctx {
 	unsigned int echo;
 };
 
-struct nft_ctx {
-	struct output_ctx	output;
-	bool			check;
-	struct mnl_socket	*nf_sock;
-};
-
 struct nft_cache {
 	bool			initialized;
 	struct list_head	list;
 	uint32_t		seqnum;
 };
 
+struct nft_ctx {
+	struct output_ctx	output;
+	bool			check;
+	struct mnl_socket	*nf_sock;
+	struct nft_cache	cache;
+};
+
 extern unsigned int max_errors;
 extern unsigned int debug_level;
 extern const char *include_paths[INCLUDE_PATHS_MAX];
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 20a062c..b902cbd 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -27,9 +27,8 @@ void nft_global_deinit(void);
 struct nft_ctx *nft_context_new(void);
 void nft_context_free(struct nft_ctx *nft);
 
-int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
+int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen);
-int nft_run_command_from_filename(struct nft_ctx *nft, struct nft_cache *cache,
-				  const char *filename);
+int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename);
 
 #endif
diff --git a/src/cli.c b/src/cli.c
index 7501b29..fd5c7b7 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -177,13 +177,17 @@ void __fmtstring(1, 0) cli_display(const char *fmt, va_list ap)
 }
 
 int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
-	     struct nft_cache *cache, struct parser_state *_state)
+	     struct parser_state *_state)
 {
 	const char *home;
+	struct nft_cache cache;
+
+	memset(&cache, 0, sizeof(cache));
+	init_list_head(&cache.list);
 
 	cli_nf_sock = nf_sock;
 	cli_nft = *nft;
-	cli_cache = cache;
+	cli_cache = &cache;
 	rl_readline_name = "nft";
 	rl_instream  = stdin;
 	rl_outstream = stdout;
@@ -204,6 +208,8 @@ int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
 
 	while (!eof)
 		rl_callback_read_char();
+
+	cache_release(&cache);
 	return 0;
 }
 
diff --git a/src/libnftables.c b/src/libnftables.c
index 28f9272..19d539c 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -63,7 +63,10 @@ struct nft_ctx *nft_context_new(void)
 	ctx = calloc(1, sizeof(struct nft_ctx));
 	if (ctx == NULL)
 		return NULL;
+
+	memset(ctx, 0, sizeof(*ctx));
 	ctx->nf_sock = netlink_open_sock();
+	init_list_head(&ctx->cache.list);
 
 	return ctx;
 }
@@ -74,6 +77,7 @@ void nft_context_free(struct nft_ctx *nft)
 	if (nft == NULL)
 		return;
 	netlink_close_sock(nft->nf_sock);
+	cache_release(&nft->cache);
 	xfree(nft);
 }
 
@@ -82,7 +86,7 @@ static const struct input_descriptor indesc_cmdline = {
 	.name	= "<cmdline>",
 };
 
-int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
+int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen)
 {
 	int rc = NFT_EXIT_SUCCESS;
@@ -90,11 +94,11 @@ int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
 	LIST_HEAD(msgs);
 	void *scanner;
 
-	parser_init(nft->nf_sock, cache, &state, &msgs);
+	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
 	scanner = scanner_init(&state);
 	scanner_push_buffer(scanner, &indesc_cmdline, buf);
 		
-	if (nft_run(nft, nft->nf_sock, cache, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner, &state, &msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 
 	scanner_destroy(scanner);
@@ -102,22 +106,21 @@ int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
 	return rc;
 }
 
-int nft_run_command_from_filename(struct nft_ctx *nft, struct nft_cache *cache,
-				  const char *filename)
+int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename)
 {
 	int rc = NFT_EXIT_SUCCESS;
 	struct parser_state state;
 	LIST_HEAD(msgs);
 	void *scanner;
 
-	rc = cache_update(nft->nf_sock, cache, CMD_INVALID, &msgs);
+	rc = cache_update(nft->nf_sock, &nft->cache, CMD_INVALID, &msgs);
 	if (rc < 0)
 		return rc;
-	parser_init(nft->nf_sock, cache, &state, &msgs);
+	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
 	scanner = scanner_init(&state);
 	if (scanner_read_file(scanner, filename, &internal_location) < 0)
 		return NFT_EXIT_FAILURE;
-	if (nft_run(nft, nft->nf_sock, cache, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner, &state, &msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 
 	scanner_destroy(scanner);
diff --git a/src/main.c b/src/main.c
index 7ab01b7..2cb7e6f 100644
--- a/src/main.c
+++ b/src/main.c
@@ -179,7 +179,6 @@ static const struct {
 int main(int argc, char * const *argv)
 {
 	struct parser_state state;
-	struct nft_cache cache;
 	LIST_HEAD(msgs);
 	char *buf = NULL, *filename = NULL;
 	unsigned int len;
@@ -187,9 +186,6 @@ int main(int argc, char * const *argv)
 	int i, val, rc = NFT_EXIT_SUCCESS;
 	struct nft_ctx *nft;
 
-	memset(&cache, 0, sizeof(cache));
-	init_list_head(&cache.list);
-
 	nft_global_init();
 	nft = nft_context_new();
 	while (1) {
@@ -288,17 +284,17 @@ int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		rc = nft_run_command_from_buffer(nft, &cache, buf, len + 2);
+		rc = nft_run_command_from_buffer(nft, buf, len + 2);
 		if (rc < 0)
 			return rc;
 		goto out;
 	} else if (filename != NULL) {
-		rc = nft_run_command_from_filename(nft, &cache, filename);
+		rc = nft_run_command_from_filename(nft, filename);
 		if (rc < 0)
 			return rc;
 		goto out;
 	} else if (interactive) {
-		if (cli_init(nft, nft->nf_sock, &cache, &state) < 0) {
+		if (cli_init(nft, nft->nf_sock, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
 				argv[0]);
 			exit(NFT_EXIT_FAILURE);
@@ -311,7 +307,6 @@ int main(int argc, char * const *argv)
 
 out:
 	xfree(buf);
-	cache_release(&cache);
 	iface_cache_release();
 	nft_context_free(nft);
 	nft_global_deinit();
-- 
2.14.1

[PATH nft v2 11/18] libnftables: move iface_cache_release to deinit

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/libnftables.c | 1 +
 src/main.c        | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index 19d539c..2228156 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -50,6 +50,7 @@ void nft_global_init(void)
 
 void nft_global_deinit(void)
 {
+	iface_cache_release();
 	ct_label_table_exit();
 	realm_table_rt_exit();
 	devgroup_table_exit();
diff --git a/src/main.c b/src/main.c
index 2cb7e6f..08d77d0 100644
--- a/src/main.c
+++ b/src/main.c
@@ -307,7 +307,6 @@ int main(int argc, char * const *argv)
 
 out:
 	xfree(buf);
-	iface_cache_release();
 	nft_context_free(nft);
 	nft_global_deinit();
 
-- 
2.14.1

[PATH nft v2 12/18] libnftables: get rid of printf

[Eric Leblond]

Use a custom print function that user will be able to set instead of
using a direct call to printf.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/datatype.h   |   5 +-
 include/expression.h |   2 +-
 include/nftables.h   |   2 +
 src/ct.c             |  20 +++----
 src/datatype.c       |  61 +++++++++++---------
 src/expression.c     |  70 +++++++++++------------
 src/exthdr.c         |   8 +--
 src/fib.c            |  23 ++++----
 src/hash.c           |  10 ++--
 src/libnftables.c    |  14 +++++
 src/meta.c           |  26 ++++-----
 src/numgen.c         |   4 +-
 src/payload.c        |   4 +-
 src/rule.c           | 159 ++++++++++++++++++++++++++-------------------------
 src/statement.c      | 122 +++++++++++++++++++--------------------
 15 files changed, 279 insertions(+), 251 deletions(-)

diff --git a/include/datatype.h b/include/datatype.h
index 2e34591..e9f6079 100644
--- a/include/datatype.h
+++ b/include/datatype.h
@@ -209,7 +209,8 @@ extern void symbolic_constant_print(const struct symbol_table *tbl,
 				    struct output_ctx *octx);
 extern void symbol_table_print(const struct symbol_table *tbl,
 			       const struct datatype *dtype,
-			       enum byteorder byteorder);
+			       enum byteorder byteorder,
+			       struct output_ctx *octx);
 
 extern struct symbol_table *rt_symbol_table_init(const char *filename);
 extern void rt_symbol_table_free(struct symbol_table *tbl);
@@ -261,7 +262,7 @@ extern const struct datatype *
 set_datatype_alloc(const struct datatype *orig_dtype, unsigned int byteorder);
 extern void set_datatype_destroy(const struct datatype *dtype);
 
-extern void time_print(uint64_t seconds);
+extern void time_print(uint64_t seconds, struct output_ctx *octx);
 extern struct error_record *time_parse(const struct location *loc,
 				       const char *c, uint64_t *res);
 
diff --git a/include/expression.h b/include/expression.h
index 828dbae..d82642d 100644
--- a/include/expression.h
+++ b/include/expression.h
@@ -334,7 +334,7 @@ extern struct expr *expr_get(struct expr *expr);
 extern void expr_free(struct expr *expr);
 extern void expr_print(const struct expr *expr, struct output_ctx *octx);
 extern bool expr_cmp(const struct expr *e1, const struct expr *e2);
-extern void expr_describe(const struct expr *expr);
+extern void expr_describe(const struct expr *expr, struct output_ctx *octx);
 
 extern const struct datatype *expr_basetype(const struct expr *expr);
 extern void expr_set_type(struct expr *expr, const struct datatype *dtype,
diff --git a/include/nftables.h b/include/nftables.h
index 348fbb0..ddff5d8 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -30,6 +30,8 @@ struct output_ctx {
 	unsigned int ip2name;
 	unsigned int handle;
 	unsigned int echo;
+	void *ctx;
+	int (*print)(void *ctx, const char *format, ...);
 };
 
 struct nft_cache {
diff --git a/src/ct.c b/src/ct.c
index d64f467..4367b21 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -141,11 +141,11 @@ static void ct_label_type_print(const struct expr *expr,
 	for (s = ct_label_tbl->symbols; s->identifier != NULL; s++) {
 		if (bit != s->value)
 			continue;
-		printf("\"%s\"", s->identifier);
+		octx->print(octx->ctx, "\"%s\"", s->identifier);
 		return;
 	}
 	/* can happen when connlabel.conf is altered after rules were added */
-	printf("%ld\n", (long)mpz_scan1(expr->value, 0));
+	octx->print(octx->ctx, "%ld\n", (long)mpz_scan1(expr->value, 0));
 }
 
 static struct error_record *ct_label_type_parse(const struct expr *sym,
@@ -269,27 +269,27 @@ static const struct ct_template ct_templates[] = {
 					      BYTEORDER_HOST_ENDIAN, 32),
 };
 
-static void ct_print(enum nft_ct_keys key, int8_t dir)
+static void ct_print(enum nft_ct_keys key, int8_t dir, struct output_ctx *octx)
 {
 	const struct symbolic_constant *s;
 
-	printf("ct ");
+	octx->print(octx->ctx, "ct ");
 	if (dir < 0)
 		goto done;
 
 	for (s = ct_dir_tbl.symbols; s->identifier != NULL; s++) {
 		if (dir == (int)s->value) {
-			printf("%s ", s->identifier);
+			octx->print(octx->ctx, "%s ", s->identifier);
 			break;
 		}
 	}
  done:
-	printf("%s", ct_templates[key].token);
+	octx->print(octx->ctx, "%s", ct_templates[key].token);
 }
 
 static void ct_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
-	ct_print(expr->ct.key, expr->ct.direction);
+	ct_print(expr->ct.key, expr->ct.direction, octx);
 }
 
 static bool ct_expr_cmp(const struct expr *e1, const struct expr *e2)
@@ -445,8 +445,8 @@ void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr)
 
 static void ct_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	ct_print(stmt->ct.key, stmt->ct.direction);
-	printf(" set ");
+	ct_print(stmt->ct.key, stmt->ct.direction, octx);
+	octx->print(octx->ctx, " set ");
 	expr_print(stmt->ct.expr, octx);
 }
 
@@ -472,7 +472,7 @@ struct stmt *ct_stmt_alloc(const struct location *loc, enum nft_ct_keys key,
 
 static void notrack_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("notrack");
+	octx->print(octx->ctx, "notrack");
 }
 
 static const struct stmt_ops notrack_stmt_ops = {
diff --git a/src/datatype.c b/src/datatype.c
index 5bd0c7b..1f500e2 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -192,15 +192,15 @@ void symbolic_constant_print(const struct symbol_table *tbl,
 		return expr_basetype(expr)->print(expr, octx);
 
 	if (quotes)
-		printf("\"");
+		octx->print(octx->ctx, "\"");
 
 	if (octx->numeric > NUMERIC_ALL)
-		printf("%"PRIu64"", val);
+		octx->print(octx->ctx, "%"PRIu64"", val);
 	else
-		printf("%s", s->identifier);
+		octx->print(octx->ctx, "%s", s->identifier);
 
 	if (quotes)
-		printf("\"");
+		octx->print(octx->ctx, "\"");
 }
 
 static void switch_byteorder(void *data, unsigned int len)
@@ -215,7 +215,8 @@ static void switch_byteorder(void *data, unsigned int len)
 
 void symbol_table_print(const struct symbol_table *tbl,
 			const struct datatype *dtype,
-			enum byteorder byteorder)
+			enum byteorder byteorder,
+			struct output_ctx *octx)
 {
 	const struct symbolic_constant *s;
 	unsigned int len = dtype->size / BITS_PER_BYTE;
@@ -228,16 +229,18 @@ void symbol_table_print(const struct symbol_table *tbl,
 			switch_byteorder(&value, len);
 
 		if (tbl->base == BASE_DECIMAL)
-			printf("\t%-30s\t%20"PRIu64"\n", s->identifier, value);
+			octx->print(octx->ctx, "\t%-30s\t%20"PRIu64"\n", s->identifier, value);
 		else
-			printf("\t%-30s\t0x%.*" PRIx64 "\n",
+			octx->print(octx->ctx, "\t%-30s\t0x%.*" PRIx64 "\n",
 			       s->identifier, 2 * len, value);
 	}
 }
 
 static void invalid_type_print(const struct expr *expr, struct output_ctx *octx)
 {
-	gmp_printf("0x%Zx [invalid type]", expr->value);
+	char buf[512];
+	gmp_snprintf(buf, sizeof(buf), "0x%Zx [invalid type]", expr->value);
+	octx->print(octx->ctx, "%s", buf);
 }
 
 const struct datatype invalid_type = {
@@ -251,30 +254,30 @@ static void verdict_type_print(const struct expr *expr, struct output_ctx *octx)
 {
 	switch (expr->verdict) {
 	case NFT_CONTINUE:
-		printf("continue");
+		octx->print(octx->ctx, "continue");
 		break;
 	case NFT_BREAK:
-		printf("break");
+		octx->print(octx->ctx, "break");
 		break;
 	case NFT_JUMP:
-		printf("jump %s", expr->chain);
+		octx->print(octx->ctx, "jump %s", expr->chain);
 		break;
 	case NFT_GOTO:
-		printf("goto %s", expr->chain);
+		octx->print(octx->ctx, "goto %s", expr->chain);
 		break;
 	case NFT_RETURN:
-		printf("return");
+		octx->print(octx->ctx, "return");
 		break;
 	default:
 		switch (expr->verdict & NF_VERDICT_MASK) {
 		case NF_ACCEPT:
-			printf("accept");
+			octx->print(octx->ctx, "accept");
 			break;
 		case NF_DROP:
-			printf("drop");
+			octx->print(octx->ctx, "drop");
 			break;
 		case NF_QUEUE:
-			printf("queue");
+			octx->print(octx->ctx, "queue");
 			break;
 		default:
 			BUG("invalid verdict value %u\n", expr->verdict);
@@ -319,6 +322,7 @@ static void integer_type_print(const struct expr *expr, struct output_ctx *octx)
 {
 	const struct datatype *dtype = expr->dtype;
 	const char *fmt = "%Zu";
+	char buf[256];
 
 	do {
 		if (dtype->basefmt != NULL) {
@@ -327,7 +331,8 @@ static void integer_type_print(const struct expr *expr, struct output_ctx *octx)
 		}
 	} while ((dtype = dtype->basetype));
 
-	gmp_printf(fmt, expr->value);
+	gmp_snprintf(buf, sizeof(buf),fmt, expr->value);
+	octx->print(octx->ctx, "%s", buf);
 }
 
 static struct error_record *integer_type_parse(const struct expr *sym,
@@ -364,7 +369,7 @@ static void string_type_print(const struct expr *expr, struct output_ctx *octx)
 
 	mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
 	data[len] = '\0';
-	printf("\"%s\"", data);
+	octx->print(octx->ctx, "\"%s\"", data);
 }
 
 static struct error_record *string_type_parse(const struct expr *sym,
@@ -396,7 +401,7 @@ static void lladdr_type_print(const struct expr *expr, struct output_ctx *octx)
 	mpz_export_data(data, expr->value, BYTEORDER_BIG_ENDIAN, len);
 
 	for (i = 0; i < len; i++) {
-		printf("%s%.2x", delim, data[i]);
+		octx->print(octx->ctx, "%s%.2x", delim, data[i]);
 		delim = ":";
 	}
 }
@@ -449,7 +454,7 @@ static void ipaddr_type_print(const struct expr *expr, struct output_ctx *octx)
 		getnameinfo((struct sockaddr *)&sin, sizeof(sin), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
 	}
-	printf("%s", buf);
+	octx->print(octx->ctx, "%s", buf);
 }
 
 static struct error_record *ipaddr_type_parse(const struct expr *sym,
@@ -507,7 +512,7 @@ static void ip6addr_type_print(const struct expr *expr, struct output_ctx *octx)
 		getnameinfo((struct sockaddr *)&sin6, sizeof(sin6), buf,
 			    sizeof(buf), NULL, 0, NI_NUMERICHOST);
 	}
-	printf("%s", buf);
+	octx->print(octx->ctx, "%s", buf);
 }
 
 static struct error_record *ip6addr_type_parse(const struct expr *sym,
@@ -557,7 +562,7 @@ static void inet_protocol_type_print(const struct expr *expr,
 	if (octx->numeric < NUMERIC_ALL) {
 		p = getprotobynumber(mpz_get_uint8(expr->value));
 		if (p != NULL) {
-			printf("%s", p->p_name);
+			octx->print(octx->ctx, "%s", p->p_name);
 			return;
 		}
 	}
@@ -821,7 +826,7 @@ const struct datatype icmpx_code_type = {
 	.sym_tbl	= &icmpx_code_tbl,
 };
 
-void time_print(uint64_t seconds)
+void time_print(uint64_t seconds, struct output_ctx *octx)
 {
 	uint64_t days, hours, minutes;
 
@@ -835,13 +840,13 @@ void time_print(uint64_t seconds)
 	seconds %= 60;
 
 	if (days > 0)
-		printf("%"PRIu64"d", days);
+		octx->print(octx->ctx, "%"PRIu64"d", days);
 	if (hours > 0)
-		printf("%"PRIu64"h", hours);
+		octx->print(octx->ctx, "%"PRIu64"h", hours);
 	if (minutes > 0)
-		printf("%"PRIu64"m", minutes);
+		octx->print(octx->ctx, "%"PRIu64"m", minutes);
 	if (seconds > 0)
-		printf("%"PRIu64"s", seconds);
+		octx->print(octx->ctx, "%"PRIu64"s", seconds);
 }
 
 enum {
@@ -933,7 +938,7 @@ struct error_record *time_parse(const struct location *loc, const char *str,
 
 static void time_type_print(const struct expr *expr, struct output_ctx *octx)
 {
-	time_print(mpz_get_uint64(expr->value) / MSEC_PER_SEC);
+	time_print(mpz_get_uint64(expr->value) / MSEC_PER_SEC, octx);
 }
 
 static struct error_record *time_type_parse(const struct expr *sym,
diff --git a/src/expression.c b/src/expression.c
index d41ada3..6d70739 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -86,41 +86,41 @@ bool expr_cmp(const struct expr *e1, const struct expr *e2)
 	return e1->ops->cmp(e1, e2);
 }
 
-void expr_describe(const struct expr *expr)
+void expr_describe(const struct expr *expr, struct output_ctx *octx)
 {
 	const struct datatype *dtype = expr->dtype;
 	const char *delim = "";
 
-	printf("%s expression, datatype %s (%s)",
+	octx->print(octx->ctx, "%s expression, datatype %s (%s)",
 		expr->ops->name, dtype->name, dtype->desc);
 	if (dtype->basetype != NULL) {
-		printf(" (basetype ");
+		octx->print(octx->ctx, " (basetype ");
 		for (dtype = dtype->basetype; dtype != NULL;
 		     dtype = dtype->basetype) {
-			printf("%s%s", delim, dtype->desc);
+			octx->print(octx->ctx, "%s%s", delim, dtype->desc);
 			delim = ", ";
 		}
-		printf(")");
+		octx->print(octx->ctx, ")");
 	}
 
 	if (expr_basetype(expr)->type == TYPE_STRING) {
 		if (expr->len)
-			printf(", %u characters", expr->len / BITS_PER_BYTE);
+			octx->print(octx->ctx, ", %u characters", expr->len / BITS_PER_BYTE);
 		else
-			printf(", dynamic length");
+			octx->print(octx->ctx, ", dynamic length");
 	} else
-		printf(", %u bits", expr->len);
+		octx->print(octx->ctx, ", %u bits", expr->len);
 
-	printf("\n");
+	octx->print(octx->ctx, "\n");
 
 	if (expr->dtype->sym_tbl != NULL) {
-		printf("\npre-defined symbolic constants ");
+		octx->print(octx->ctx, "\npre-defined symbolic constants ");
 		if (expr->dtype->sym_tbl->base == BASE_DECIMAL)
-			printf("(in decimal):\n");
+			octx->print(octx->ctx, "(in decimal):\n");
 		else
-			printf("(in hexadecimal):\n");
+			octx->print(octx->ctx, "(in hexadecimal):\n");
 		symbol_table_print(expr->dtype->sym_tbl, expr->dtype,
-				   expr->byteorder);
+				   expr->byteorder, octx);
 	}
 }
 
@@ -215,7 +215,7 @@ struct expr *verdict_expr_alloc(const struct location *loc,
 
 static void symbol_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
-	printf("%s%s", expr->scope != NULL ? "$" : "", expr->identifier);
+	octx->print(octx->ctx, "%s%s", expr->scope != NULL ? "$" : "", expr->identifier);
 }
 
 static void symbol_expr_clone(struct expr *new, const struct expr *expr)
@@ -398,7 +398,7 @@ struct expr *bitmask_expr_to_binops(struct expr *expr)
 static void prefix_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	expr_print(expr->prefix, octx);
-	printf("/%u", expr->prefix_len);
+	octx->print(octx->ctx, "/%u", expr->prefix_len);
 }
 
 static void prefix_expr_set_type(const struct expr *expr,
@@ -513,10 +513,10 @@ static void binop_arg_print(const struct expr *op, const struct expr *arg,
 		prec = 1;
 
 	if (prec)
-		printf("(");
+		octx->print(octx->ctx, "(");
 	expr_print(arg, octx);
 	if (prec)
-		printf(")");
+		octx->print(octx->ctx, ")");
 }
 
 static bool must_print_eq_op(const struct expr *expr)
@@ -534,9 +534,9 @@ static void binop_expr_print(const struct expr *expr, struct output_ctx *octx)
 
 	if (expr_op_symbols[expr->op] &&
 	    (expr->op != OP_EQ || must_print_eq_op(expr)))
-		printf(" %s ", expr_op_symbols[expr->op]);
+		octx->print(octx->ctx, " %s ", expr_op_symbols[expr->op]);
 	else
-		printf(" ");
+		octx->print(octx->ctx, " ");
 
 	binop_arg_print(expr, expr->right, octx);
 }
@@ -602,7 +602,7 @@ static void range_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	octx->numeric += NUMERIC_ALL + 1;
 	expr_print(expr->left, octx);
-	printf("-");
+	octx->print(octx->ctx, "-");
 	expr_print(expr->right, octx);
 	octx->numeric -= NUMERIC_ALL + 1;
 }
@@ -682,7 +682,7 @@ static void compound_expr_print(const struct expr *expr, const char *delim,
 	const char *d = "";
 
 	list_for_each_entry(i, &expr->expressions, list) {
-		printf("%s", d);
+		octx->print(octx->ctx, "%s", d);
 		expr_print(i, octx);
 		d = delim;
 	}
@@ -793,16 +793,16 @@ static void set_expr_print(const struct expr *expr, struct output_ctx *octx)
 	const char *d = "";
 	int count = 0;
 
-	printf("{ ");
+	octx->print(octx->ctx, "{ ");
 
 	list_for_each_entry(i, &expr->expressions, list) {
-		printf("%s", d);
+		octx->print(octx->ctx, "%s", d);
 		expr_print(i, octx);
 		count++;
 		d = calculate_delim(expr, &count);
 	}
 
-	printf(" }");
+	octx->print(octx->ctx, " }");
 }
 
 static void set_expr_set_type(const struct expr *expr,
@@ -840,7 +840,7 @@ struct expr *set_expr_alloc(const struct location *loc, const struct set *set)
 static void mapping_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	expr_print(expr->left, octx);
-	printf(" : ");
+	octx->print(octx->ctx, " : ");
 	expr_print(expr->right, octx);
 }
 
@@ -889,9 +889,9 @@ static void map_expr_print(const struct expr *expr, struct output_ctx *octx)
 	expr_print(expr->map, octx);
 	if (expr->mappings->ops->type == EXPR_SET_REF &&
 	    expr->mappings->set->datatype->type == TYPE_VERDICT)
-		printf(" vmap ");
+		octx->print(octx->ctx, " vmap ");
 	else
-		printf(" map ");
+		octx->print(octx->ctx, " map ");
 	expr_print(expr->mappings, octx);
 }
 
@@ -930,11 +930,11 @@ static void set_ref_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	if (expr->set->flags & NFT_SET_ANONYMOUS) {
 		if (expr->set->flags & NFT_SET_EVAL)
-			printf("table %s", expr->set->handle.set);
+			octx->print(octx->ctx, "table %s", expr->set->handle.set);
 		else
 			expr_print(expr->set->init, octx);
 	} else {
-		printf("@%s", expr->set->handle.set);
+		octx->print(octx->ctx, "@%s", expr->set->handle.set);
 	}
 }
 
@@ -971,18 +971,18 @@ static void set_elem_expr_print(const struct expr *expr,
 {
 	expr_print(expr->key, octx);
 	if (expr->timeout) {
-		printf(" timeout ");
-		time_print(expr->timeout / 1000);
+		octx->print(octx->ctx, " timeout ");
+		time_print(expr->timeout / 1000, octx);
 	}
 	if (!octx->stateless && expr->expiration) {
-		printf(" expires ");
-		time_print(expr->expiration / 1000);
+		octx->print(octx->ctx, " expires ");
+		time_print(expr->expiration / 1000, octx);
 	}
 	if (expr->comment)
-		printf(" comment \"%s\"", expr->comment);
+		octx->print(octx->ctx, " comment \"%s\"", expr->comment);
 
 	if (expr->stmt) {
-		printf(" : ");
+		octx->print(octx->ctx, " : ");
 		stmt_print(expr->stmt, octx);
 	}
 }
diff --git a/src/exthdr.c b/src/exthdr.c
index a412025..21ceedd 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -33,19 +33,19 @@ static void exthdr_expr_print(const struct expr *expr, struct output_ctx *octx)
 		char buf[9] = {0};
 
 		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT) {
-			printf("tcp option %s", expr->exthdr.desc->name);
+			octx->print(octx->ctx, "tcp option %s", expr->exthdr.desc->name);
 			return;
 		}
 
 		if (offset)
 			snprintf(buf, sizeof buf, "%d", offset);
-		printf("tcp option %s%s %s", expr->exthdr.desc->name, buf,
+		octx->print(octx->ctx, "tcp option %s%s %s", expr->exthdr.desc->name, buf,
 					     expr->exthdr.tmpl->token);
 	} else {
 		if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
-			printf("exthdr %s", expr->exthdr.desc->name);
+			octx->print(octx->ctx, "exthdr %s", expr->exthdr.desc->name);
 		else {
-			printf("%s %s", expr->exthdr.desc ? expr->exthdr.desc->name : "unknown-exthdr",
+			octx->print(octx->ctx, "%s %s", expr->exthdr.desc ? expr->exthdr.desc->name : "unknown-exthdr",
 					expr->exthdr.tmpl->token);
 		}
 	}
diff --git a/src/fib.c b/src/fib.c
index b3488af..202b6b1 100644
--- a/src/fib.c
+++ b/src/fib.c
@@ -60,32 +60,33 @@ static const char *fib_result_str(enum nft_fib_result result)
 	return "unknown";
 }
 
-static void __fib_expr_print_f(unsigned int *flags, unsigned int f, const char *s)
+static void __fib_expr_print_f(unsigned int *flags, unsigned int f,
+			       const char *s, struct output_ctx *octx)
 {
 	if ((*flags & f) == 0)
 		return;
 
-	printf("%s", s);
+	octx->print(octx->ctx, "%s", s);
 	*flags &= ~f;
 	if (*flags)
-		printf(" . ");
+		octx->print(octx->ctx, " . ");
 }
 
 static void fib_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	unsigned int flags = expr->fib.flags & ~NFTA_FIB_F_PRESENT;
 
-	printf("fib ");
-	__fib_expr_print_f(&flags, NFTA_FIB_F_SADDR, "saddr");
-	__fib_expr_print_f(&flags, NFTA_FIB_F_DADDR, "daddr");
-	__fib_expr_print_f(&flags, NFTA_FIB_F_MARK, "mark");
-	__fib_expr_print_f(&flags, NFTA_FIB_F_IIF, "iif");
-	__fib_expr_print_f(&flags, NFTA_FIB_F_OIF, "oif");
+	octx->print(octx->ctx, "fib ");
+	__fib_expr_print_f(&flags, NFTA_FIB_F_SADDR, "saddr", octx);
+	__fib_expr_print_f(&flags, NFTA_FIB_F_DADDR, "daddr", octx);
+	__fib_expr_print_f(&flags, NFTA_FIB_F_MARK, "mark", octx);
+	__fib_expr_print_f(&flags, NFTA_FIB_F_IIF, "iif", octx);
+	__fib_expr_print_f(&flags, NFTA_FIB_F_OIF, "oif", octx);
 
 	if (flags)
-		printf("0x%x", flags);
+		octx->print(octx->ctx, "0x%x", flags);
 
-	printf(" %s", fib_result_str(expr->fib.result));
+	octx->print(octx->ctx, " %s", fib_result_str(expr->fib.result));
 }
 
 static bool fib_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/hash.c b/src/hash.c
index 1a4bfb3..c42d360 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -19,19 +19,19 @@ static void hash_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	switch (expr->hash.type) {
 	case NFT_HASH_SYM:
-		printf("symhash");
+		octx->print(octx->ctx, "symhash");
 	break;
 	case NFT_HASH_JENKINS:
 	default:
-		printf("jhash ");
+		octx->print(octx->ctx, "jhash ");
 		expr_print(expr->hash.expr, octx);
 	}
 
-	printf(" mod %u", expr->hash.mod);
+	octx->print(octx->ctx, " mod %u", expr->hash.mod);
 	if (expr->hash.seed_set)
-		printf(" seed 0x%x", expr->hash.seed);
+		octx->print(octx->ctx, " seed 0x%x", expr->hash.seed);
 	if (expr->hash.offset)
-		printf(" offset %u", expr->hash.offset);
+		octx->print(octx->ctx, " offset %u", expr->hash.offset);
 }
 
 static bool hash_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/libnftables.c b/src/libnftables.c
index 2228156..7209885 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -58,6 +58,17 @@ void nft_global_deinit(void)
 	mark_table_exit();
 }
 
+__attribute__((format(printf, 2, 0)))
+static int nft_print(void *ctx, const char *fmt, ...)
+{
+	va_list arg;
+	va_start(arg, fmt);
+	vfprintf(stdout, fmt, arg);
+	va_end(arg);
+
+	return 0;
+} 
+
 struct nft_ctx *nft_context_new(void)
 {
 	struct nft_ctx *ctx = NULL;
@@ -67,8 +78,11 @@ struct nft_ctx *nft_context_new(void)
 
 	memset(ctx, 0, sizeof(*ctx));
 	ctx->nf_sock = netlink_open_sock();
+
 	init_list_head(&ctx->cache.list);
 
+	ctx->output.ctx = ctx;
+	ctx->output.print = nft_print;
 	return ctx;
 }
 
diff --git a/src/meta.c b/src/meta.c
index 9c80893..9994d57 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -54,13 +54,13 @@ static void tchandle_type_print(const struct expr *expr,
 
 	switch(handle) {
 	case TC_H_ROOT:
-		printf("root");
+		octx->print(octx->ctx, "root");
 		break;
 	case TC_H_UNSPEC:
-		printf("none");
+		octx->print(octx->ctx, "none");
 		break;
 	default:
-		printf("%0x:%0x", TC_H_MAJ(handle) >> 16, TC_H_MIN(handle));
+		octx->print(octx->ctx, "%0x:%0x", TC_H_MAJ(handle) >> 16, TC_H_MIN(handle));
 		break;
 	}
 }
@@ -134,9 +134,9 @@ static void ifindex_type_print(const struct expr *expr, struct output_ctx *octx)
 
 	ifindex = mpz_get_uint32(expr->value);
 	if (nft_if_indextoname(ifindex, name))
-		printf("\"%s\"", name);
+		octx->print(octx->ctx, "\"%s\"", name);
 	else
-		printf("%d", ifindex);
+		octx->print(octx->ctx, "%d", ifindex);
 }
 
 static struct error_record *ifindex_type_parse(const struct expr *sym,
@@ -209,9 +209,9 @@ static void uid_type_print(const struct expr *expr, struct output_ctx *octx)
 
 		pw = getpwuid(uid);
 		if (pw != NULL)
-			printf("\"%s\"", pw->pw_name);
+			octx->print(octx->ctx, "\"%s\"", pw->pw_name);
 		else
-			printf("%d", uid);
+			octx->print(octx->ctx, "%d", uid);
 		return;
 	}
 	expr_basetype(expr)->print(expr, octx);
@@ -261,9 +261,9 @@ static void gid_type_print(const struct expr *expr, struct output_ctx *octx)
 
 		gr = getgrgid(gid);
 		if (gr != NULL)
-			printf("\"%s\"", gr->gr_name);
+			octx->print(octx->ctx, "\"%s\"", gr->gr_name);
 		else
-			printf("%u", gid);
+			octx->print(octx->ctx, "%u", gid);
 		return;
 	}
 	expr_basetype(expr)->print(expr, octx);
@@ -446,9 +446,9 @@ static bool meta_key_is_qualified(enum nft_meta_keys key)
 static void meta_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
 	if (meta_key_is_qualified(expr->meta.key))
-		printf("meta %s", meta_templates[expr->meta.key].token);
+		octx->print(octx->ctx, "meta %s", meta_templates[expr->meta.key].token);
 	else
-		printf("%s", meta_templates[expr->meta.key].token);
+		octx->print(octx->ctx, "%s", meta_templates[expr->meta.key].token);
 }
 
 static bool meta_expr_cmp(const struct expr *e1, const struct expr *e2)
@@ -573,9 +573,9 @@ struct expr *meta_expr_alloc(const struct location *loc, enum nft_meta_keys key)
 static void meta_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
 	if (meta_key_is_qualified(stmt->meta.key))
-		printf("meta %s set ", meta_templates[stmt->meta.key].token);
+		octx->print(octx->ctx, "meta %s set ", meta_templates[stmt->meta.key].token);
 	else
-		printf("%s set ", meta_templates[stmt->meta.key].token);
+		octx->print(octx->ctx, "%s set ", meta_templates[stmt->meta.key].token);
 
 	expr_print(stmt->meta.expr, octx);
 }
diff --git a/src/numgen.c b/src/numgen.c
index 19a4a9c..e6938ce 100644
--- a/src/numgen.c
+++ b/src/numgen.c
@@ -30,10 +30,10 @@ static const char *numgen_type_str(enum nft_ng_types type)
 
 static void numgen_expr_print(const struct expr *expr, struct output_ctx *octx)
 {
-	printf("numgen %s mod %u", numgen_type_str(expr->numgen.type),
+	octx->print(octx->ctx, "numgen %s mod %u", numgen_type_str(expr->numgen.type),
 	       expr->numgen.mod);
 	if (expr->numgen.offset)
-		printf(" offset %u", expr->numgen.offset);
+		octx->print(octx->ctx, " offset %u", expr->numgen.offset);
 }
 
 static bool numgen_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/payload.c b/src/payload.c
index 7f94ff7..fd6cb3a 100644
--- a/src/payload.c
+++ b/src/payload.c
@@ -46,9 +46,9 @@ static void payload_expr_print(const struct expr *expr, struct output_ctx *octx)
 	desc = expr->payload.desc;
 	tmpl = expr->payload.tmpl;
 	if (payload_is_known(expr))
-		printf("%s %s", desc->name, tmpl->token);
+		octx->print(octx->ctx, "%s %s", desc->name, tmpl->token);
 	else
-		printf("payload @%s,%u,%u",
+		octx->print(octx->ctx, "payload @%s,%u,%u",
 		       proto_base_tokens[expr->payload.base],
 		       expr->payload.offset, expr->len);
 }
diff --git a/src/rule.c b/src/rule.c
index ef12bec..364dd13 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -271,7 +271,8 @@ static const char *set_policy2str(uint32_t policy)
 }
 
 static void set_print_declaration(const struct set *set,
-				  struct print_fmt_options *opts)
+				  struct print_fmt_options *opts,
+				  struct output_ctx *octx)
 {
 	const char *delim = "";
 	const char *type;
@@ -284,33 +285,33 @@ static void set_print_declaration(const struct set *set,
 	else
 		type = "set";
 
-	printf("%s%s", opts->tab, type);
+	octx->print(octx->ctx, "%s%s", opts->tab, type);
 
 	if (opts->family != NULL)
-		printf(" %s", opts->family);
+		octx->print(octx->ctx, " %s", opts->family);
 
 	if (opts->table != NULL)
-		printf(" %s", opts->table);
+		octx->print(octx->ctx, " %s", opts->table);
 
-	printf(" %s {%s", set->handle.set, opts->nl);
+	octx->print(octx->ctx, " %s {%s", set->handle.set, opts->nl);
 
-	printf("%s%stype %s", opts->tab, opts->tab, set->keytype->name);
+	octx->print(octx->ctx, "%s%stype %s", opts->tab, opts->tab, set->keytype->name);
 	if (set->flags & NFT_SET_MAP)
-		printf(" : %s", set->datatype->name);
+		octx->print(octx->ctx, " : %s", set->datatype->name);
 	else if (set->flags & NFT_SET_OBJECT)
-		printf(" : %s", obj_type_name(set->objtype));
+		octx->print(octx->ctx, " : %s", obj_type_name(set->objtype));
 
-	printf("%s", opts->stmt_separator);
+	octx->print(octx->ctx, "%s", opts->stmt_separator);
 
 	if (!(set->flags & (NFT_SET_CONSTANT))) {
 		if (set->policy != NFT_SET_POL_PERFORMANCE) {
-			printf("%s%spolicy %s%s", opts->tab, opts->tab,
+			octx->print(octx->ctx, "%s%spolicy %s%s", opts->tab, opts->tab,
 			       set_policy2str(set->policy),
 			       opts->stmt_separator);
 		}
 
 		if (set->desc.size > 0) {
-			printf("%s%ssize %u%s", opts->tab, opts->tab,
+			octx->print(octx->ctx, "%s%ssize %u%s", opts->tab, opts->tab,
 			       set->desc.size, opts->stmt_separator);
 		}
 	}
@@ -321,45 +322,45 @@ static void set_print_declaration(const struct set *set,
 		flags &= ~NFT_SET_TIMEOUT;
 
 	if (flags & (NFT_SET_CONSTANT | NFT_SET_INTERVAL | NFT_SET_TIMEOUT)) {
-		printf("%s%sflags ", opts->tab, opts->tab);
+		octx->print(octx->ctx, "%s%sflags ", opts->tab, opts->tab);
 		if (set->flags & NFT_SET_CONSTANT) {
-			printf("%sconstant", delim);
+			octx->print(octx->ctx, "%sconstant", delim);
 			delim = ",";
 		}
 		if (set->flags & NFT_SET_INTERVAL) {
-			printf("%sinterval", delim);
+			octx->print(octx->ctx, "%sinterval", delim);
 			delim = ",";
 		}
 		if (set->flags & NFT_SET_TIMEOUT) {
-			printf("%stimeout", delim);
+			octx->print(octx->ctx, "%stimeout", delim);
 			delim = ",";
 		}
-		printf("%s", opts->stmt_separator);
+		octx->print(octx->ctx, "%s", opts->stmt_separator);
 	}
 
 	if (set->timeout) {
-		printf("%s%stimeout ", opts->tab, opts->tab);
-		time_print(set->timeout / 1000);
-		printf("%s", opts->stmt_separator);
+		octx->print(octx->ctx, "%s%stimeout ", opts->tab, opts->tab);
+		time_print(set->timeout / 1000, octx);
+		octx->print(octx->ctx, "%s", opts->stmt_separator);
 	}
 	if (set->gc_int) {
-		printf("%s%sgc-interval ", opts->tab, opts->tab);
-		time_print(set->gc_int / 1000);
-		printf("%s", opts->stmt_separator);
+		octx->print(octx->ctx, "%s%sgc-interval ", opts->tab, opts->tab);
+		time_print(set->gc_int / 1000, octx);
+		octx->print(octx->ctx, "%s", opts->stmt_separator);
 	}
 }
 
 static void do_set_print(const struct set *set, struct print_fmt_options *opts,
 			  struct output_ctx *octx)
 {
-	set_print_declaration(set, opts);
+	set_print_declaration(set, opts, octx);
 
 	if (set->init != NULL && set->init->size > 0) {
-		printf("%s%selements = ", opts->tab, opts->tab);
+		octx->print(octx->ctx, "%s%selements = ", opts->tab, opts->tab);
 		expr_print(set->init, octx);
-		printf("%s", opts->nl);
+		octx->print(octx->ctx, "%s", opts->nl);
 	}
-	printf("%s}%s", opts->tab, opts->nl);
+	octx->print(octx->ctx, "%s}%s", opts->tab, opts->nl);
 }
 
 void set_print(const struct set *s, struct output_ctx *octx)
@@ -424,14 +425,14 @@ void rule_print(const struct rule *rule, struct output_ctx *octx)
 	list_for_each_entry(stmt, &rule->stmts, list) {
 		stmt->ops->print(stmt, octx);
 		if (!list_is_last(&stmt->list, &rule->stmts))
-			printf(" ");
+			octx->print(octx->ctx, " ");
 	}
 
 	if (rule->comment)
-		printf(" comment \"%s\"", rule->comment);
+		octx->print(octx->ctx, " comment \"%s\"", rule->comment);
 
 	if (octx->handle > 0)
-		printf(" # handle %" PRIu64, rule->handle.handle.id);
+		octx->print(octx->ctx, " # handle %" PRIu64, rule->handle.handle.id);
 }
 
 struct rule *rule_lookup(const struct chain *chain, uint64_t handle)
@@ -661,18 +662,19 @@ static const char *chain_policy2str(uint32_t policy)
 	return "unknown";
 }
 
-static void chain_print_declaration(const struct chain *chain)
+static void chain_print_declaration(const struct chain *chain,
+				    struct output_ctx *octx)
 {
-	printf("\tchain %s {\n", chain->handle.chain);
+	octx->print(octx->ctx, "\tchain %s {\n", chain->handle.chain);
 	if (chain->flags & CHAIN_F_BASECHAIN) {
 		if (chain->dev != NULL) {
-			printf("\t\ttype %s hook %s device %s priority %d; policy %s;\n",
+			octx->print(octx->ctx, "\t\ttype %s hook %s device %s priority %d; policy %s;\n",
 			       chain->type,
 			       hooknum2str(chain->handle.family, chain->hooknum),
 			       chain->dev, chain->priority,
 			       chain_policy2str(chain->policy));
 		} else {
-			printf("\t\ttype %s hook %s priority %d; policy %s;\n",
+			octx->print(octx->ctx, "\t\ttype %s hook %s priority %d; policy %s;\n",
 			       chain->type,
 			       hooknum2str(chain->handle.family, chain->hooknum),
 			       chain->priority, chain_policy2str(chain->policy));
@@ -684,14 +686,14 @@ static void chain_print(const struct chain *chain, struct output_ctx *octx)
 {
 	struct rule *rule;
 
-	chain_print_declaration(chain);
+	chain_print_declaration(chain, octx);
 
 	list_for_each_entry(rule, &chain->rules, list) {
-		printf("\t\t");
+		octx->print(octx->ctx, "\t\t");
 		rule_print(rule, octx);
-		printf("\n");
+		octx->print(octx->ctx, "\n");
 	}
-	printf("\t}\n");
+	octx->print(octx->ctx, "\t}\n");
 }
 
 void chain_print_plain(const struct chain *chain)
@@ -796,27 +798,27 @@ static void table_print(const struct table *table, struct output_ctx *octx)
 	const char *delim = "";
 	const char *family = family2str(table->handle.family);
 
-	printf("table %s %s {\n", family, table->handle.table);
+	octx->print(octx->ctx, "table %s %s {\n", family, table->handle.table);
 	table_print_options(table, &delim);
 
 	list_for_each_entry(obj, &table->objs, list) {
-		printf("%s", delim);
+		octx->print(octx->ctx, "%s", delim);
 		obj_print(obj, octx);
 		delim = "\n";
 	}
 	list_for_each_entry(set, &table->sets, list) {
 		if (set->flags & NFT_SET_ANONYMOUS)
 			continue;
-		printf("%s", delim);
+		octx->print(octx->ctx, "%s", delim);
 		set_print(set, octx);
 		delim = "\n";
 	}
 	list_for_each_entry(chain, &table->chains, list) {
-		printf("%s", delim);
+		octx->print(octx->ctx, "%s", delim);
 		chain_print(chain, octx);
 		delim = "\n";
 	}
-	printf("}\n");
+	octx->print(octx->ctx, "}\n");
 }
 
 struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
@@ -1176,7 +1178,7 @@ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
 		    cmd->handle.family != table->handle.family)
 			continue;
 
-		printf("table %s %s {\n",
+		ctx->octx->print(ctx->octx->ctx, "table %s %s {\n",
 		       family2str(table->handle.family),
 		       table->handle.table);
 
@@ -1191,11 +1193,12 @@ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd)
 			if (cmd->obj == CMD_OBJ_MAPS &&
 			    !(set->flags & NFT_SET_MAP))
 				continue;
-			set_print_declaration(set, &opts);
-			printf("%s}%s", opts.tab, opts.nl);
+			set_print_declaration(set, &opts, ctx->octx);
+			ctx->octx->print(ctx->octx->ctx, "%s}%s",
+					 opts.tab, opts.nl);
 		}
 
-		printf("}\n");
+		ctx->octx->print(ctx->octx->ctx, "}\n");
 	}
 	return 0;
 }
@@ -1260,40 +1263,40 @@ static void obj_print_data(const struct obj *obj,
 {
 	switch (obj->type) {
 	case NFT_OBJECT_COUNTER:
-		printf(" %s {%s%s%s", obj->handle.obj,
+		octx->print(octx->ctx, " %s {%s%s%s", obj->handle.obj,
 				      opts->nl, opts->tab, opts->tab);
 		if (octx->stateless) {
-			printf("packets 0 bytes 0");
+			octx->print(octx->ctx, "packets 0 bytes 0");
 			break;
 		}
-		printf("packets %"PRIu64" bytes %"PRIu64"",
+		octx->print(octx->ctx, "packets %"PRIu64" bytes %"PRIu64"",
 		       obj->counter.packets, obj->counter.bytes);
 		break;
 	case NFT_OBJECT_QUOTA: {
 		const char *data_unit;
 		uint64_t bytes;
 
-		printf(" %s {%s%s%s", obj->handle.obj,
+		octx->print(octx->ctx, " %s {%s%s%s", obj->handle.obj,
 				      opts->nl, opts->tab, opts->tab);
 		data_unit = get_rate(obj->quota.bytes, &bytes);
-		printf("%s%"PRIu64" %s",
+		octx->print(octx->ctx, "%s%"PRIu64" %s",
 		       obj->quota.flags & NFT_QUOTA_F_INV ? "over " : "",
 		       bytes, data_unit);
 		if (!octx->stateless && obj->quota.used) {
 			data_unit = get_rate(obj->quota.used, &bytes);
-			printf(" used %"PRIu64" %s", bytes, data_unit);
+			octx->print(octx->ctx, " used %"PRIu64" %s", bytes, data_unit);
 		}
 		}
 		break;
 	case NFT_OBJECT_CT_HELPER: {
-		printf("ct helper %s {\n", obj->handle.obj);
-		printf("\t\ttype \"%s\" protocol ", obj->ct_helper.name);
+		octx->print(octx->ctx, "ct helper %s {\n", obj->handle.obj);
+		octx->print(octx->ctx, "\t\ttype \"%s\" protocol ", obj->ct_helper.name);
 		print_proto_name_proto(obj->ct_helper.l4proto);
-		printf("\t\tl3proto %s", family2str(obj->ct_helper.l3proto));
+		octx->print(octx->ctx, "\t\tl3proto %s", family2str(obj->ct_helper.l3proto));
 		break;
 		}
 	default:
-		printf("unknown {%s", opts->nl);
+		octx->print(octx->ctx, "unknown {%s", opts->nl);
 		break;
 	}
 }
@@ -1328,17 +1331,17 @@ static void obj_print_declaration(const struct obj *obj,
 				  struct print_fmt_options *opts,
 				  struct output_ctx *octx)
 {
-	printf("%s%s", opts->tab, obj_type_name(obj->type));
+	octx->print(octx->ctx, "%s%s", opts->tab, obj_type_name(obj->type));
 
 	if (opts->family != NULL)
-		printf(" %s", opts->family);
+		octx->print(octx->ctx, " %s", opts->family);
 
 	if (opts->table != NULL)
-		printf(" %s", opts->table);
+		octx->print(octx->ctx, " %s", opts->table);
 
 	obj_print_data(obj, opts, octx);
 
-	printf("%s%s}%s", opts->nl, opts->tab, opts->nl);
+	octx->print(octx->ctx, "%s%s}%s", opts->nl, opts->tab, opts->nl);
 }
 
 void obj_print(const struct obj *obj, struct output_ctx *octx)
@@ -1379,13 +1382,13 @@ static int do_list_obj(struct netlink_ctx *ctx, struct cmd *cmd, uint32_t type)
 		    cmd->handle.family != table->handle.family)
 			continue;
 
-		printf("table %s %s {\n",
+		ctx->octx->print(ctx->octx->ctx, "table %s %s {\n",
 		       family2str(table->handle.family),
 		       table->handle.table);
 
 		if (cmd->handle.table != NULL &&
 		    strcmp(cmd->handle.table, table->handle.table)) {
-			printf("}\n");
+			ctx->octx->print(ctx->octx->ctx, "}\n");
 			continue;
 		}
 
@@ -1398,7 +1401,7 @@ static int do_list_obj(struct netlink_ctx *ctx, struct cmd *cmd, uint32_t type)
 			obj_print_declaration(obj, &opts, ctx->octx);
 		}
 
-		printf("}\n");
+		ctx->octx->print(ctx->octx->ctx, "}\n");
 	}
 	return 0;
 }
@@ -1434,7 +1437,7 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
 		    cmd->handle.family != table->handle.family)
 			continue;
 
-		printf("table %s %s\n",
+		ctx->octx->print(ctx->octx->ctx, "table %s %s\n",
 		       family2str(table->handle.family),
 		       table->handle.table);
 	}
@@ -1442,9 +1445,10 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
 	return 0;
 }
 
-static void table_print_declaration(struct table *table)
+static void table_print_declaration(struct table *table,
+				    struct output_ctx *octx)
 {
-	printf("table %s %s {\n",
+	octx->print(octx->ctx, "table %s %s {\n",
 		family2str(table->handle.family),
 		table->handle.table);
 }
@@ -1454,7 +1458,7 @@ static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd,
 {
 	struct chain *chain;
 
-	table_print_declaration(table);
+	table_print_declaration(table, ctx->octx);
 
 	list_for_each_entry(chain, &table->chains, list) {
 		if (chain->handle.family != cmd->handle.family ||
@@ -1464,7 +1468,7 @@ static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd,
 		chain_print(chain, ctx->octx);
 	}
 
-	printf("}\n");
+	ctx->octx->print(ctx->octx->ctx, "}\n");
 
 	return 0;
 }
@@ -1479,13 +1483,13 @@ static int do_list_chains(struct netlink_ctx *ctx, struct cmd *cmd)
 		    cmd->handle.family != table->handle.family)
 			continue;
 
-		table_print_declaration(table);
+		table_print_declaration(table, ctx->octx);
 
 		list_for_each_entry(chain, &table->chains, list) {
-			chain_print_declaration(chain);
-			printf("\t}\n");
+			chain_print_declaration(chain, ctx->octx);
+			ctx->octx->print(ctx->octx->ctx, "\t}\n");
 		}
-		printf("}\n");
+		ctx->octx->print(ctx->octx->ctx, "}\n");
 	}
 
 	return 0;
@@ -1500,9 +1504,9 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd,
 	if (set == NULL)
 		return -1;
 
-	table_print_declaration(table);
+	table_print_declaration(table, ctx->octx);
 	set_print(set, ctx->octx);
-	printf("}\n");
+	ctx->octx->print(ctx->octx->ctx, "}\n");
 
 	return 0;
 }
@@ -1689,9 +1693,10 @@ static int do_command_monitor(struct netlink_ctx *ctx, struct cmd *cmd)
 	return netlink_monitor(&monhandler, ctx->nf_sock);
 }
 
-static int do_command_describe(struct netlink_ctx *ctx, struct cmd *cmd)
+static int do_command_describe(struct netlink_ctx *ctx, struct cmd *cmd,
+			       struct output_ctx *octx)
 {
-	expr_describe(cmd->expr);
+	expr_describe(cmd->expr, octx);
 	return 0;
 }
 
@@ -1737,7 +1742,7 @@ int do_command(struct netlink_ctx *ctx, struct cmd *cmd)
 	case CMD_MONITOR:
 		return do_command_monitor(ctx, cmd);
 	case CMD_DESCRIBE:
-		return do_command_describe(ctx, cmd);
+		return do_command_describe(ctx, cmd, ctx->octx);
 	default:
 		BUG("invalid command object type %u\n", cmd->obj);
 	}
diff --git a/src/statement.c b/src/statement.c
index 0ce875e..bb9b862 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -109,20 +109,20 @@ struct stmt *verdict_stmt_alloc(const struct location *loc, struct expr *expr)
 
 static void flow_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("flow ");
+	octx->print(octx->ctx, "flow ");
 	if (stmt->flow.set) {
 		expr_print(stmt->flow.set, octx);
-		printf(" ");
+		octx->print(octx->ctx, " ");
 	}
-	printf("{ ");
+	octx->print(octx->ctx, "{ ");
 	expr_print(stmt->flow.key, octx);
-	printf(" ");
+	octx->print(octx->ctx, " ");
 
 	octx->stateless++;
 	stmt_print(stmt->flow.stmt, octx);
 	octx->stateless--;
 
-	printf("} ");
+	octx->print(octx->ctx, "} ");
 
 }
 
@@ -147,12 +147,12 @@ struct stmt *flow_stmt_alloc(const struct location *loc)
 
 static void counter_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("counter");
+	octx->print(octx->ctx, "counter");
 
 	if (octx->stateless)
 		return;
 
-	printf(" packets %" PRIu64 " bytes %" PRIu64,
+	octx->print(octx->ctx, " packets %" PRIu64 " bytes %" PRIu64,
 	       stmt->counter.packets, stmt->counter.bytes);
 }
 
@@ -189,10 +189,10 @@ static void objref_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
 	switch (stmt->objref.type) {
 	case NFT_OBJECT_CT_HELPER:
-		printf("ct helper set ");
+		octx->print(octx->ctx, "ct helper set ");
 		break;
 	default:
-		printf("%s name ", objref_type_name(stmt->objref.type));
+		octx->print(octx->ctx, "%s name ", objref_type_name(stmt->objref.type));
 		break;
 	}
 	expr_print(stmt->objref.expr, octx);
@@ -233,39 +233,39 @@ static const char *log_level(uint32_t level)
 
 static void log_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("log");
+	octx->print(octx->ctx, "log");
 	if (stmt->log.flags & STMT_LOG_PREFIX)
-		printf(" prefix \"%s\"", stmt->log.prefix);
+		octx->print(octx->ctx, " prefix \"%s\"", stmt->log.prefix);
 	if (stmt->log.flags & STMT_LOG_GROUP)
-		printf(" group %u", stmt->log.group);
+		octx->print(octx->ctx, " group %u", stmt->log.group);
 	if (stmt->log.flags & STMT_LOG_SNAPLEN)
-		printf(" snaplen %u", stmt->log.snaplen);
+		octx->print(octx->ctx, " snaplen %u", stmt->log.snaplen);
 	if (stmt->log.flags & STMT_LOG_QTHRESHOLD)
-		printf(" queue-threshold %u", stmt->log.qthreshold);
+		octx->print(octx->ctx, " queue-threshold %u", stmt->log.qthreshold);
 	if ((stmt->log.flags & STMT_LOG_LEVEL) &&
 	    stmt->log.level != LOG_WARNING)
-		printf(" level %s", log_level(stmt->log.level));
+		octx->print(octx->ctx, " level %s", log_level(stmt->log.level));
 
 	if ((stmt->log.logflags & NF_LOG_MASK) == NF_LOG_MASK) {
-		printf(" flags all");
+		octx->print(octx->ctx, " flags all");
 	} else {
 		if (stmt->log.logflags & (NF_LOG_TCPSEQ | NF_LOG_TCPOPT)) {
 			const char *delim = " ";
 
-			printf(" flags tcp");
+			octx->print(octx->ctx, " flags tcp");
 			if (stmt->log.logflags & NF_LOG_TCPSEQ) {
-				printf(" sequence");
+				octx->print(octx->ctx, " sequence");
 				delim = ",";
 			}
 			if (stmt->log.logflags & NF_LOG_TCPOPT)
-				printf("%soptions", delim);
+				octx->print(octx->ctx, "%soptions", delim);
 		}
 		if (stmt->log.logflags & NF_LOG_IPOPT)
-			printf(" flags ip options");
+			octx->print(octx->ctx, " flags ip options");
 		if (stmt->log.logflags & NF_LOG_UID)
-			printf(" flags skuid");
+			octx->print(octx->ctx, " flags skuid");
 		if (stmt->log.logflags & NF_LOG_MACDECODE)
-			printf(" flags ether");
+			octx->print(octx->ctx, " flags ether");
 	}
 }
 
@@ -328,23 +328,23 @@ static void limit_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 
 	switch (stmt->limit.type) {
 	case NFT_LIMIT_PKTS:
-		printf("limit rate %s%" PRIu64 "/%s",
+		octx->print(octx->ctx, "limit rate %s%" PRIu64 "/%s",
 		       inv ? "over " : "", stmt->limit.rate,
 		       get_unit(stmt->limit.unit));
 		if (stmt->limit.burst > 0)
-			printf(" burst %u packets", stmt->limit.burst);
+			octx->print(octx->ctx, " burst %u packets", stmt->limit.burst);
 		break;
 	case NFT_LIMIT_PKT_BYTES:
 		data_unit = get_rate(stmt->limit.rate, &rate);
 
-		printf("limit rate %s%" PRIu64 " %s/%s",
+		octx->print(octx->ctx, "limit rate %s%" PRIu64 " %s/%s",
 		       inv ? "over " : "", rate, data_unit,
 		       get_unit(stmt->limit.unit));
 		if (stmt->limit.burst > 0) {
 			uint64_t burst;
 
 			data_unit = get_rate(stmt->limit.burst, &burst);
-			printf(" burst %"PRIu64" %s", burst, data_unit);
+			octx->print(octx->ctx, " burst %"PRIu64" %s", burst, data_unit);
 		}
 		break;
 	}
@@ -369,17 +369,17 @@ static void queue_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
 	const char *delim = " ";
 
-	printf("queue");
+	octx->print(octx->ctx, "queue");
 	if (stmt->queue.queue != NULL) {
-		printf(" num ");
+		octx->print(octx->ctx, " num ");
 		expr_print(stmt->queue.queue, octx);
 	}
 	if (stmt->queue.flags & NFT_QUEUE_FLAG_BYPASS) {
-		printf("%sbypass", delim);
+		octx->print(octx->ctx, "%sbypass", delim);
 		delim = ",";
 	}
 	if (stmt->queue.flags & NFT_QUEUE_FLAG_CPU_FANOUT)
-		printf("%sfanout", delim);
+		octx->print(octx->ctx, "%sfanout", delim);
 
 }
 
@@ -401,12 +401,12 @@ static void quota_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 	uint64_t bytes, used;
 
 	data_unit = get_rate(stmt->quota.bytes, &bytes);
-	printf("quota %s%"PRIu64" %s",
+	octx->print(octx->ctx, "quota %s%"PRIu64" %s",
 	       inv ? "over " : "", bytes, data_unit);
 
 	if (!octx->stateless && stmt->quota.used) {
 		data_unit = get_rate(stmt->quota.used, &used);
-		printf(" used %"PRIu64" %s", used, data_unit);
+		octx->print(octx->ctx, " used %"PRIu64" %s", used, data_unit);
 	}
 }
 
@@ -427,15 +427,15 @@ struct stmt *quota_stmt_alloc(const struct location *loc)
 
 static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("reject");
+	octx->print(octx->ctx, "reject");
 	switch (stmt->reject.type) {
 	case NFT_REJECT_TCP_RST:
-		printf(" with tcp reset");
+		octx->print(octx->ctx, " with tcp reset");
 		break;
 	case NFT_REJECT_ICMPX_UNREACH:
 		if (stmt->reject.icmp_code == NFT_REJECT_ICMPX_PORT_UNREACH)
 			break;
-		printf(" with icmpx type ");
+		octx->print(octx->ctx, " with icmpx type ");
 		expr_print(stmt->reject.expr, octx);
 		break;
 	case NFT_REJECT_ICMP_UNREACH:
@@ -443,13 +443,13 @@ static void reject_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 		case NFPROTO_IPV4:
 			if (stmt->reject.icmp_code == ICMP_PORT_UNREACH)
 				break;
-			printf(" with icmp type ");
+			octx->print(octx->ctx, " with icmp type ");
 			expr_print(stmt->reject.expr, octx);
 			break;
 		case NFPROTO_IPV6:
 			if (stmt->reject.icmp_code == ICMP6_DST_UNREACH_NOPORT)
 				break;
-			printf(" with icmpv6 type ");
+			octx->print(octx->ctx, " with icmpv6 type ");
 			expr_print(stmt->reject.expr, octx);
 			break;
 		}
@@ -468,7 +468,7 @@ struct stmt *reject_stmt_alloc(const struct location *loc)
 	return stmt_alloc(loc, &reject_stmt_ops);
 }
 
-static void print_nf_nat_flags(uint32_t flags)
+static void print_nf_nat_flags(uint32_t flags, struct output_ctx *octx)
 {
 	const char *delim = " ";
 
@@ -476,17 +476,17 @@ static void print_nf_nat_flags(uint32_t flags)
 		return;
 
 	if (flags & NF_NAT_RANGE_PROTO_RANDOM) {
-		printf("%srandom", delim);
+		octx->print(octx->ctx, "%srandom", delim);
 		delim = ",";
 	}
 
 	if (flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
-		printf("%sfully-random", delim);
+		octx->print(octx->ctx, "%sfully-random", delim);
 		delim = ",";
 	}
 
 	if (flags & NF_NAT_RANGE_PERSISTENT)
-		printf("%spersistent", delim);
+		octx->print(octx->ctx, "%spersistent", delim);
 }
 
 static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
@@ -496,21 +496,21 @@ static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 		[NFT_NAT_DNAT]	= "dnat",
 	};
 
-	printf("%s to ", nat_types[stmt->nat.type]);
+	octx->print(octx->ctx, "%s to ", nat_types[stmt->nat.type]);
 	if (stmt->nat.addr) {
 		if (stmt->nat.proto) {
 			if (stmt->nat.addr->ops->type == EXPR_VALUE &&
 			    stmt->nat.addr->dtype->type == TYPE_IP6ADDR) {
-				printf("[");
+				octx->print(octx->ctx, "[");
 				expr_print(stmt->nat.addr, octx);
-				printf("]");
+				octx->print(octx->ctx, "]");
 			} else if (stmt->nat.addr->ops->type == EXPR_RANGE &&
 				   stmt->nat.addr->left->dtype->type == TYPE_IP6ADDR) {
-				printf("[");
+				octx->print(octx->ctx, "[");
 				expr_print(stmt->nat.addr->left, octx);
-				printf("]-[");
+				octx->print(octx->ctx, "]-[");
 				expr_print(stmt->nat.addr->right, octx);
-				printf("]");
+				octx->print(octx->ctx, "]");
 			} else {
 				expr_print(stmt->nat.addr, octx);
 			}
@@ -520,11 +520,11 @@ static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 	}
 
 	if (stmt->nat.proto) {
-		printf(":");
+		octx->print(octx->ctx, ":");
 		expr_print(stmt->nat.proto, octx);
 	}
 
-	print_nf_nat_flags(stmt->nat.flags);
+	print_nf_nat_flags(stmt->nat.flags, octx);
 }
 
 static void nat_stmt_destroy(struct stmt *stmt)
@@ -547,14 +547,14 @@ struct stmt *nat_stmt_alloc(const struct location *loc)
 
 static void masq_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("masquerade");
+	octx->print(octx->ctx, "masquerade");
 
 	if (stmt->masq.proto) {
-		printf(" to :");
+		octx->print(octx->ctx, " to :");
 		expr_print(stmt->masq.proto, octx);
 	}
 
-	print_nf_nat_flags(stmt->masq.flags);
+	print_nf_nat_flags(stmt->masq.flags, octx);
 }
 
 static void masq_stmt_destroy(struct stmt *stmt)
@@ -576,14 +576,14 @@ struct stmt *masq_stmt_alloc(const struct location *loc)
 
 static void redir_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("redirect");
+	octx->print(octx->ctx, "redirect");
 
 	if (stmt->redir.proto) {
-		printf(" to :");
+		octx->print(octx->ctx, " to :");
 		expr_print(stmt->redir.proto, octx);
 	}
 
-	print_nf_nat_flags(stmt->redir.flags);
+	print_nf_nat_flags(stmt->redir.flags, octx);
 }
 
 static void redir_stmt_destroy(struct stmt *stmt)
@@ -610,9 +610,9 @@ static const char * const set_stmt_op_names[] = {
 
 static void set_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("set %s ", set_stmt_op_names[stmt->set.op]);
+	octx->print(octx->ctx, "set %s ", set_stmt_op_names[stmt->set.op]);
 	expr_print(stmt->set.key, octx);
-	printf(" ");
+	octx->print(octx->ctx, " ");
 	expr_print(stmt->set.set, octx);
 }
 
@@ -636,13 +636,13 @@ struct stmt *set_stmt_alloc(const struct location *loc)
 
 static void dup_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("dup");
+	octx->print(octx->ctx, "dup");
 	if (stmt->dup.to != NULL) {
-		printf(" to ");
+		octx->print(octx->ctx, " to ");
 		expr_print(stmt->dup.to, octx);
 
 		if (stmt->dup.dev != NULL) {
-			printf(" device ");
+			octx->print(octx->ctx, " device ");
 			expr_print(stmt->dup.dev, octx);
 		}
 	}
@@ -668,7 +668,7 @@ struct stmt *dup_stmt_alloc(const struct location *loc)
 
 static void fwd_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
 {
-	printf("fwd to ");
+	octx->print(octx->ctx, "fwd to ");
 	expr_print(stmt->fwd.to, octx);
 }
 
-- 
2.14.1

[PATH nft v2 13/18] libnftables: add nft_context_set_print

[Eric Leblond]

This function allows user to set his own printing function. It is
still dependant of the format used by nft but at least it can be
redirected easily.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables/nftables.h | 3 +++
 src/libnftables.c           | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index b902cbd..935d0db 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -26,6 +26,9 @@ void nft_global_deinit(void);
 
 struct nft_ctx *nft_context_new(void);
 void nft_context_free(struct nft_ctx *nft);
+void nft_context_set_print_func(struct nft_ctx *nft,
+				int (*print)(void *ctx, const char *fmt, ...),
+				void *ctx);
 
 int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen);
diff --git a/src/libnftables.c b/src/libnftables.c
index 7209885..f0decae 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -86,6 +86,15 @@ struct nft_ctx *nft_context_new(void)
 	return ctx;
 }
 
+void nft_context_set_print_func(struct nft_ctx *nft,
+				int (*print)(void *ctx, const char *fmt, ...),
+				void *ctx)
+{
+	if (nft) {
+		nft->output.print = print;
+		nft->output.ctx = ctx;
+	}
+}
 
 void nft_context_free(struct nft_ctx *nft)
 {
-- 
2.14.1

[PATH nft v2 14/18] libnftables: transaction support

[Eric Leblond]

Add batch support for libnftables. This patch
provides a set of function to handle batch command.

The cinematic is the following:
 * nft_batch_start to allocate the batch structure
 * multiple call to nft_batch_add
 * nft_batch_commit to do the commit to kernel
 * nft_batch_free to free the batch

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/netlink.h           |   5 +++
 include/nftables/nftables.h |   7 +++
 src/libnftables.c           | 102 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 114 insertions(+)

diff --git a/include/netlink.h b/include/netlink.h
index 0e1d26b..b7f87c0 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -54,6 +54,11 @@ struct netlink_ctx {
 	struct nft_cache	*cache;
 };
 
+struct nft_batch {
+	struct netlink_ctx	nl_ctx;
+	struct nftnl_batch	*batch;
+};
+
 extern struct nftnl_table *alloc_nftnl_table(const struct handle *h);
 extern struct nftnl_chain *alloc_nftnl_chain(const struct handle *h);
 extern struct nftnl_rule *alloc_nftnl_rule(const struct handle *h);
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 935d0db..2ddb38a 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -34,4 +34,11 @@ int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen);
 int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename);
 
+
+struct nft_batch *nft_batch_start(struct nft_ctx *ctx);
+int nft_batch_add(struct nft_ctx *ctx, struct nft_batch *batch,
+		  const char * buf, size_t buflen);
+int nft_batch_commit(struct nft_ctx *ctx, struct nft_batch *batch);
+void nft_batch_free(struct nft_batch *batch);
+
 #endif
diff --git a/src/libnftables.c b/src/libnftables.c
index f0decae..61ed4e5 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -151,3 +151,105 @@ int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename)
 	erec_print_list(stderr, &msgs);
 	return rc;
 }
+
+struct nft_batch *nft_batch_start(struct nft_ctx *nft)
+{
+	uint32_t seqnum;
+	bool batch_supported = netlink_batch_supported(nft->nf_sock, &seqnum);
+	struct nft_batch *batch = NULL;
+
+	if (!batch_supported)
+		return NULL;
+
+	batch = calloc(1, sizeof(*batch));
+	if (batch == NULL)
+		return NULL;
+
+	batch->batch = mnl_batch_init();
+	mnl_batch_begin(batch->batch, mnl_seqnum_alloc(&nft->cache.seqnum));
+
+	batch->nl_ctx.msgs = &nft->output.msgs;
+	batch->nl_ctx.batch = batch->batch;
+	batch->nl_ctx.batch_supported = batch_supported;
+	batch->nl_ctx.octx = &nft->output;
+	batch->nl_ctx.nf_sock = nft->nf_sock;
+	batch->nl_ctx.cache = &nft->cache;
+	init_list_head(&batch->nl_ctx.list);
+	return batch;
+}
+
+int nft_batch_add(struct nft_ctx *nft, struct nft_batch *batch,
+		  const char * buf, size_t buflen)
+{
+	int rc = NFT_EXIT_SUCCESS;
+	int ret = 0;
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+	struct cmd *cmd, *next;
+	struct netlink_ctx *ctx = &batch->nl_ctx;
+	uint32_t seqnum;
+
+	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
+	scanner = scanner_init(&state);
+	scanner_push_buffer(scanner, &indesc_cmdline, buf);
+		
+	ret = nft_parse(scanner, &state);
+	if (ret != 0 || state.nerrs > 0) {
+		rc = NFT_EXIT_FAILURE;
+		goto err1;
+	} 
+
+	list_for_each_entry(cmd, &state.cmds, list) {
+		nft_cmd_expand(cmd);
+		ctx->seqnum = cmd->seqnum = mnl_seqnum_alloc(&seqnum);
+		ret = do_command(ctx, cmd);
+		if (ret < 0)
+			return NFT_EXIT_FAILURE;
+	}
+
+	list_for_each_entry_safe(cmd, next, &state.cmds, list) {
+		list_del(&cmd->list);
+		cmd_free(cmd);
+	}
+err1:
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs);
+	return rc;
+}
+
+int nft_batch_commit(struct nft_ctx *nft, struct nft_batch *batch)
+{
+	int ret = 0;
+	LIST_HEAD(err_list);
+
+	mnl_batch_end(batch->batch, mnl_seqnum_alloc(&nft->cache.seqnum));
+
+	if (!mnl_batch_ready(batch->batch)) {
+		ret = -1;
+		goto out;
+	}
+
+	ret = netlink_batch_send(&batch->nl_ctx, &err_list);
+	if (ret == -1) {
+		struct mnl_err *err, *tmp;
+		list_for_each_entry_safe(err, tmp, &err_list, head) {
+			netlink_io_error(&batch->nl_ctx, NULL,
+					 "Could not process rule: %s",
+					 strerror(err->err));
+			/* multiple errno but let's return one */
+			ret = -err->err;
+			mnl_err_list_free(err);
+		}
+	}
+out:
+	return ret;
+}
+
+void nft_batch_free(struct nft_batch *batch)
+{
+	if (batch == NULL)
+		return;
+	mnl_batch_reset(batch->batch);
+	xfree(batch);
+}
-- 
2.14.1

[PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Eric Leblond]

As memory handling is defficient if we don't do so, we can't really
use a non 1 value for the parameter in the library due to memory
leak.

Also this is not a real issue as programmatically a user of the
library should only encounter one error at a time.

This patch also introduces a function that can be used to modify
the max_errors parameter. It is used in main to keep the existing
behavior.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables/nftables.h | 1 +
 src/libnftables.c           | 8 +++++++-
 src/main.c                  | 1 +
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index 2ddb38a..f419884 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -22,6 +22,7 @@ enum nftables_exit_codes {
 };
 
 void nft_global_init(void);
+int nft_global_set_max_errors(unsigned int errors);
 void nft_global_deinit(void);
 
 struct nft_ctx *nft_context_new(void);
diff --git a/src/libnftables.c b/src/libnftables.c
index 61ed4e5..15345ae 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -25,7 +25,7 @@
 #include <fcntl.h>
 
 
-unsigned int max_errors = 10;
+unsigned int max_errors = 1;
 unsigned int numeric_output;
 unsigned int ip2name_output;
 unsigned int handle_output;
@@ -58,6 +58,12 @@ void nft_global_deinit(void)
 	mark_table_exit();
 }
 
+int nft_global_set_max_errors(unsigned int errors)
+{
+	max_errors = errors;
+	return NFT_EXIT_SUCCESS;
+}
+
 __attribute__((format(printf, 2, 0)))
 static int nft_print(void *ctx, const char *fmt, ...)
 {
diff --git a/src/main.c b/src/main.c
index 08d77d0..355f429 100644
--- a/src/main.c
+++ b/src/main.c
@@ -187,6 +187,7 @@ int main(int argc, char * const *argv)
 	struct nft_ctx *nft;
 
 	nft_global_init();
+	nft_global_set_max_errors(10);
 	nft = nft_context_new();
 	while (1) {
 		val = getopt_long(argc, argv, OPTSTRING, options, NULL);
-- 
2.14.1

[PATH nft v2 16/18] libnftables: add error handling

[Eric Leblond]

It had a nft_get_error to be able to fetch existing errors and get
them into a buffer that can be later used by the application.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 include/nftables.h          |  1 +
 include/nftables/nftables.h |  1 +
 src/libnftables.c           | 35 +++++++++++++++++++++++++----------
 3 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/include/nftables.h b/include/nftables.h
index ddff5d8..9d119b1 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -30,6 +30,7 @@ struct output_ctx {
 	unsigned int ip2name;
 	unsigned int handle;
 	unsigned int echo;
+	struct list_head msgs;
 	void *ctx;
 	int (*print)(void *ctx, const char *format, ...);
 };
diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
index f419884..c72ec6b 100644
--- a/include/nftables/nftables.h
+++ b/include/nftables/nftables.h
@@ -30,6 +30,7 @@ void nft_context_free(struct nft_ctx *nft);
 void nft_context_set_print_func(struct nft_ctx *nft,
 				int (*print)(void *ctx, const char *fmt, ...),
 				void *ctx);
+int nft_get_error(struct nft_ctx *nft, char *err_buf, size_t err_buf_len);
 
 int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen);
diff --git a/src/libnftables.c b/src/libnftables.c
index 15345ae..b1df916 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -86,6 +86,7 @@ struct nft_ctx *nft_context_new(void)
 	ctx->nf_sock = netlink_open_sock();
 
 	init_list_head(&ctx->cache.list);
+	init_list_head(&ctx->output.msgs);
 
 	ctx->output.ctx = ctx;
 	ctx->output.print = nft_print;
@@ -108,6 +109,7 @@ void nft_context_free(struct nft_ctx *nft)
 		return;
 	netlink_close_sock(nft->nf_sock);
 	cache_release(&nft->cache);
+	erec_free_list(&nft->output.msgs);
 	xfree(nft);
 }
 
@@ -116,23 +118,38 @@ static const struct input_descriptor indesc_cmdline = {
 	.name	= "<cmdline>",
 };
 
+/**
+ * Get current errors and write them in provided buffer
+ *
+ * \return NFT_EXIT_SUCCESS if error, NFT_EXIT_FAILURE if error
+ */
+int nft_get_error(struct nft_ctx *nft, char *err_buf, size_t err_buf_len)
+{
+	FILE *errfile = fmemopen(err_buf, err_buf_len, "w");
+	*err_buf = '\0';
+	erec_print_list(errfile, &nft->output.msgs);
+	fclose(errfile);
+	if (!strlen(err_buf))
+		return NFT_EXIT_FAILURE;
+	return NFT_EXIT_SUCCESS;
+}
+
 int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen)
 {
 	int rc = NFT_EXIT_SUCCESS;
 	struct parser_state state;
-	LIST_HEAD(msgs);
 	void *scanner;
 
-	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
+	parser_init(nft->nf_sock, &nft->cache, &state, &nft->output.msgs);
 	scanner = scanner_init(&state);
 	scanner_push_buffer(scanner, &indesc_cmdline, buf);
 		
-	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner,
+		    &state, &nft->output.msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 
 	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs);
 	return rc;
 }
 
@@ -146,15 +163,15 @@ int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename)
 	rc = cache_update(nft->nf_sock, &nft->cache, CMD_INVALID, &msgs);
 	if (rc < 0)
 		return rc;
-	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
+	parser_init(nft->nf_sock, &nft->cache, &state, &nft->output.msgs);
 	scanner = scanner_init(&state);
 	if (scanner_read_file(scanner, filename, &internal_location) < 0)
 		return NFT_EXIT_FAILURE;
-	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nft->nf_sock, &nft->cache, scanner,
+		    &state, &nft->output.msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 
 	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs);
 	return rc;
 }
 
@@ -190,13 +207,12 @@ int nft_batch_add(struct nft_ctx *nft, struct nft_batch *batch,
 	int rc = NFT_EXIT_SUCCESS;
 	int ret = 0;
 	struct parser_state state;
-	LIST_HEAD(msgs);
 	void *scanner;
 	struct cmd *cmd, *next;
 	struct netlink_ctx *ctx = &batch->nl_ctx;
 	uint32_t seqnum;
 
-	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
+	parser_init(nft->nf_sock, &nft->cache, &state, &nft->output.msgs);
 	scanner = scanner_init(&state);
 	scanner_push_buffer(scanner, &indesc_cmdline, buf);
 		
@@ -220,7 +236,6 @@ int nft_batch_add(struct nft_ctx *nft, struct nft_batch *batch,
 	}
 err1:
 	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs);
 	return rc;
 }
 
-- 
2.14.1

[PATH nft v2 17/18] libnftables: suppress unused global variables

[Eric Leblond]

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/libnftables.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index b1df916..1abe077 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -26,9 +26,6 @@
 
 
 unsigned int max_errors = 1;
-unsigned int numeric_output;
-unsigned int ip2name_output;
-unsigned int handle_output;
 #ifdef DEBUG
 unsigned int debug_level;
 #endif
-- 
2.14.1

[PATH nft v2 18/18] libnftables: doxygen documentation

[Eric Leblond]

Document libnftables and provide a Doxyfile example.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 Doxyfile          | 2495 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/libnftables.c |  211 ++++-
 2 files changed, 2705 insertions(+), 1 deletion(-)
 create mode 100644 Doxyfile

diff --git a/Doxyfile b/Doxyfile
new file mode 100644
index 0000000..10e3109
--- /dev/null
+++ b/Doxyfile
@@ -0,0 +1,2495 @@
+# Doxyfile 1.8.13
+
+# This file describes the settings to be used by the documentation system
+# doxygen (www.doxygen.org) for a project.
+#
+# All text after a double hash (##) is considered a comment and is placed in
+# front of the TAG it is preceding.
+#
+# All text after a single hash (#) is considered a comment and will be ignored.
+# The format is:
+# TAG = value [value, ...]
+# For lists, items can also be appended using:
+# TAG += value [value, ...]
+# Values that contain spaces should be placed between quotes (\" \").
+
+#---------------------------------------------------------------------------
+# Project related configuration options
+#---------------------------------------------------------------------------
+
+# This tag specifies the encoding used for all characters in the config file
+# that follow. The default is UTF-8 which is also the encoding used for all text
+# before the first occurrence of this tag. Doxygen uses libiconv (or the iconv
+# built into libc) for the transcoding. See http://www.gnu.org/software/libiconv
+# for the list of possible encodings.
+# The default value is: UTF-8.
+
+DOXYFILE_ENCODING      = UTF-8
+
+# The PROJECT_NAME tag is a single word (or a sequence of words surrounded by
+# double-quotes, unless you are using Doxywizard) that should identify the
+# project for which the documentation is generated. This name is used in the
+# title of most generated pages and in a few other places.
+# The default value is: My Project.
+
+PROJECT_NAME           = "Nftables"
+
+# The PROJECT_NUMBER tag can be used to enter a project or revision number. This
+# could be handy for archiving the generated documentation or if some version
+# control system is used.
+
+PROJECT_NUMBER         = "0.9"
+
+# Using the PROJECT_BRIEF tag one can provide an optional one line description
+# for a project that appears at the top of each page and should give viewer a
+# quick idea about the purpose of the project. Keep the description short.
+
+PROJECT_BRIEF          = "Nftables like the firewall for Linux but next generation"
+
+# With the PROJECT_LOGO tag one can specify a logo or an icon that is included
+# in the documentation. The maximum height of the logo should not exceed 55
+# pixels and the maximum width should not exceed 200 pixels. Doxygen will copy
+# the logo to the output directory.
+
+PROJECT_LOGO           =
+
+# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) path
+# into which the generated documentation will be written. If a relative path is
+# entered, it will be relative to the location where doxygen was started. If
+# left blank the current directory will be used.
+
+OUTPUT_DIRECTORY       = "doc"
+
+# If the CREATE_SUBDIRS tag is set to YES then doxygen will create 4096 sub-
+# directories (in 2 levels) under the output directory of each output format and
+# will distribute the generated files over these directories. Enabling this
+# option can be useful when feeding doxygen a huge amount of source files, where
+# putting all generated files in the same directory would otherwise causes
+# performance problems for the file system.
+# The default value is: NO.
+
+CREATE_SUBDIRS         = NO
+
+# If the ALLOW_UNICODE_NAMES tag is set to YES, doxygen will allow non-ASCII
+# characters to appear in the names of generated files. If set to NO, non-ASCII
+# characters will be escaped, for example _xE3_x81_x84 will be used for Unicode
+# U+3044.
+# The default value is: NO.
+
+ALLOW_UNICODE_NAMES    = NO
+
+# The OUTPUT_LANGUAGE tag is used to specify the language in which all
+# documentation generated by doxygen is written. Doxygen will use this
+# information to generate all constant output in the proper language.
+# Possible values are: Afrikaans, Arabic, Armenian, Brazilian, Catalan, Chinese,
+# Chinese-Traditional, Croatian, Czech, Danish, Dutch, English (United States),
+# Esperanto, Farsi (Persian), Finnish, French, German, Greek, Hungarian,
+# Indonesian, Italian, Japanese, Japanese-en (Japanese with English messages),
+# Korean, Korean-en (Korean with English messages), Latvian, Lithuanian,
+# Macedonian, Norwegian, Persian (Farsi), Polish, Portuguese, Romanian, Russian,
+# Serbian, Serbian-Cyrillic, Slovak, Slovene, Spanish, Swedish, Turkish,
+# Ukrainian and Vietnamese.
+# The default value is: English.
+
+OUTPUT_LANGUAGE        = English
+
+# If the BRIEF_MEMBER_DESC tag is set to YES, doxygen will include brief member
+# descriptions after the members that are listed in the file and class
+# documentation (similar to Javadoc). Set to NO to disable this.
+# The default value is: YES.
+
+BRIEF_MEMBER_DESC      = YES
+
+# If the REPEAT_BRIEF tag is set to YES, doxygen will prepend the brief
+# description of a member or function before the detailed description
+#
+# Note: If both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the
+# brief descriptions will be completely suppressed.
+# The default value is: YES.
+
+REPEAT_BRIEF           = YES
+
+# This tag implements a quasi-intelligent brief description abbreviator that is
+# used to form the text in various listings. Each string in this list, if found
+# as the leading text of the brief description, will be stripped from the text
+# and the result, after processing the whole list, is used as the annotated
+# text. Otherwise, the brief description is used as-is. If left blank, the
+# following values are used ($name is automatically replaced with the name of
+# the entity):The $name class, The $name widget, The $name file, is, provides,
+# specifies, contains, represents, a, an and the.
+
+ABBREVIATE_BRIEF       = "The $name class" \
+                         "The $name widget" \
+                         "The $name file" \
+                         is \
+                         provides \
+                         specifies \
+                         contains \
+                         represents \
+                         a \
+                         an \
+                         the
+
+# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then
+# doxygen will generate a detailed section even if there is only a brief
+# description.
+# The default value is: NO.
+
+ALWAYS_DETAILED_SEC    = NO
+
+# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all
+# inherited members of a class in the documentation of that class as if those
+# members were ordinary class members. Constructors, destructors and assignment
+# operators of the base classes will not be shown.
+# The default value is: NO.
+
+INLINE_INHERITED_MEMB  = NO
+
+# If the FULL_PATH_NAMES tag is set to YES, doxygen will prepend the full path
+# before files name in the file list and in the header files. If set to NO the
+# shortest path that makes the file name unique will be used
+# The default value is: YES.
+
+FULL_PATH_NAMES        = YES
+
+# The STRIP_FROM_PATH tag can be used to strip a user-defined part of the path.
+# Stripping is only done if one of the specified strings matches the left-hand
+# part of the path. The tag can be used to show relative paths in the file list.
+# If left blank the directory from which doxygen is run is used as the path to
+# strip.
+#
+# Note that you can specify absolute paths here, but also relative paths, which
+# will be relative from the directory where doxygen is started.
+# This tag requires that the tag FULL_PATH_NAMES is set to YES.
+
+STRIP_FROM_PATH        =
+
+# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of the
+# path mentioned in the documentation of a class, which tells the reader which
+# header file to include in order to use a class. If left blank only the name of
+# the header file containing the class definition is used. Otherwise one should
+# specify the list of include paths that are normally passed to the compiler
+# using the -I flag.
+
+STRIP_FROM_INC_PATH    =
+
+# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter (but
+# less readable) file names. This can be useful is your file systems doesn't
+# support long names like on DOS, Mac, or CD-ROM.
+# The default value is: NO.
+
+SHORT_NAMES            = NO
+
+# If the JAVADOC_AUTOBRIEF tag is set to YES then doxygen will interpret the
+# first line (until the first dot) of a Javadoc-style comment as the brief
+# description. If set to NO, the Javadoc-style will behave just like regular Qt-
+# style comments (thus requiring an explicit @brief command for a brief
+# description.)
+# The default value is: NO.
+
+JAVADOC_AUTOBRIEF      = NO
+
+# If the QT_AUTOBRIEF tag is set to YES then doxygen will interpret the first
+# line (until the first dot) of a Qt-style comment as the brief description. If
+# set to NO, the Qt-style will behave just like regular Qt-style comments (thus
+# requiring an explicit \brief command for a brief description.)
+# The default value is: NO.
+
+QT_AUTOBRIEF           = NO
+
+# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make doxygen treat a
+# multi-line C++ special comment block (i.e. a block of //! or /// comments) as
+# a brief description. This used to be the default behavior. The new default is
+# to treat a multi-line C++ comment block as a detailed description. Set this
+# tag to YES if you prefer the old behavior instead.
+#
+# Note that setting this tag to YES also means that rational rose comments are
+# not recognized any more.
+# The default value is: NO.
+
+MULTILINE_CPP_IS_BRIEF = NO
+
+# If the INHERIT_DOCS tag is set to YES then an undocumented member inherits the
+# documentation from any documented member that it re-implements.
+# The default value is: YES.
+
+INHERIT_DOCS           = YES
+
+# If the SEPARATE_MEMBER_PAGES tag is set to YES then doxygen will produce a new
+# page for each member. If set to NO, the documentation of a member will be part
+# of the file/class/namespace that contains it.
+# The default value is: NO.
+
+SEPARATE_MEMBER_PAGES  = NO
+
+# The TAB_SIZE tag can be used to set the number of spaces in a tab. Doxygen
+# uses this value to replace tabs by spaces in code fragments.
+# Minimum value: 1, maximum value: 16, default value: 4.
+
+TAB_SIZE               = 8
+
+# This tag can be used to specify a number of aliases that act as commands in
+# the documentation. An alias has the form:
+# name=value
+# For example adding
+# "sideeffect=@par Side Effects:\n"
+# will allow you to put the command \sideeffect (or @sideeffect) in the
+# documentation, which will result in a user-defined paragraph with heading
+# "Side Effects:". You can put \n's in the value part of an alias to insert
+# newlines.
+
+ALIASES                =
+
+# This tag can be used to specify a number of word-keyword mappings (TCL only).
+# A mapping has the form "name=value". For example adding "class=itcl::class"
+# will allow you to use the command class in the itcl::class meaning.
+
+TCL_SUBST              =
+
+# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C sources
+# only. Doxygen will then generate output that is more tailored for C. For
+# instance, some of the names that are used will be different. The list of all
+# members will be omitted, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_FOR_C  = YES
+
+# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java or
+# Python sources only. Doxygen will then generate output that is more tailored
+# for that language. For instance, namespaces will be presented as packages,
+# qualified scopes will look different, etc.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_JAVA   = NO
+
+# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran
+# sources. Doxygen will then generate output that is tailored for Fortran.
+# The default value is: NO.
+
+OPTIMIZE_FOR_FORTRAN   = NO
+
+# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL
+# sources. Doxygen will then generate output that is tailored for VHDL.
+# The default value is: NO.
+
+OPTIMIZE_OUTPUT_VHDL   = NO
+
+# Doxygen selects the parser to use depending on the extension of the files it
+# parses. With this tag you can assign which parser to use for a given
+# extension. Doxygen has a built-in mapping, but you can override or extend it
+# using this tag. The format is ext=language, where ext is a file extension, and
+# language is one of the parsers supported by doxygen: IDL, Java, Javascript,
+# C#, C, C++, D, PHP, Objective-C, Python, Fortran (fixed format Fortran:
+# FortranFixed, free formatted Fortran: FortranFree, unknown formatted Fortran:
+# Fortran. In the later case the parser tries to guess whether the code is fixed
+# or free formatted code, this is the default for Fortran type files), VHDL. For
+# instance to make doxygen treat .inc files as Fortran files (default is PHP),
+# and .f files as C (default is Fortran), use: inc=Fortran f=C.
+#
+# Note: For files without extension you can use no_extension as a placeholder.
+#
+# Note that for custom extensions you also need to set FILE_PATTERNS otherwise
+# the files are not read by doxygen.
+
+EXTENSION_MAPPING      =
+
+# If the MARKDOWN_SUPPORT tag is enabled then doxygen pre-processes all comments
+# according to the Markdown format, which allows for more readable
+# documentation. See http://daringfireball.net/projects/markdown/ for details.
+# The output of markdown processing is further processed by doxygen, so you can
+# mix doxygen, HTML, and XML commands with Markdown formatting. Disable only in
+# case of backward compatibilities issues.
+# The default value is: YES.
+
+MARKDOWN_SUPPORT       = YES
+
+# When the TOC_INCLUDE_HEADINGS tag is set to a non-zero value, all headings up
+# to that level are automatically included in the table of contents, even if
+# they do not have an id attribute.
+# Note: This feature currently applies only to Markdown headings.
+# Minimum value: 0, maximum value: 99, default value: 0.
+# This tag requires that the tag MARKDOWN_SUPPORT is set to YES.
+
+TOC_INCLUDE_HEADINGS   = 0
+
+# When enabled doxygen tries to link words that correspond to documented
+# classes, or namespaces to their corresponding documentation. Such a link can
+# be prevented in individual cases by putting a % sign in front of the word or
+# globally by setting AUTOLINK_SUPPORT to NO.
+# The default value is: YES.
+
+AUTOLINK_SUPPORT       = YES
+
+# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want
+# to include (a tag file for) the STL sources as input, then you should set this
+# tag to YES in order to let doxygen match functions declarations and
+# definitions whose arguments contain STL classes (e.g. func(std::string);
+# versus func(std::string) {}). This also make the inheritance and collaboration
+# diagrams that involve STL classes more complete and accurate.
+# The default value is: NO.
+
+BUILTIN_STL_SUPPORT    = NO
+
+# If you use Microsoft's C++/CLI language, you should set this option to YES to
+# enable parsing support.
+# The default value is: NO.
+
+CPP_CLI_SUPPORT        = NO
+
+# Set the SIP_SUPPORT tag to YES if your project consists of sip (see:
+# http://www.riverbankcomputing.co.uk/software/sip/intro) sources only. Doxygen
+# will parse them like normal C++ but will assume all classes use public instead
+# of private inheritance when no explicit protection keyword is present.
+# The default value is: NO.
+
+SIP_SUPPORT            = NO
+
+# For Microsoft's IDL there are propget and propput attributes to indicate
+# getter and setter methods for a property. Setting this option to YES will make
+# doxygen to replace the get and set methods by a property in the documentation.
+# This will only work if the methods are indeed getting or setting a simple
+# type. If this is not the case, or you want to show the methods anyway, you
+# should set this option to NO.
+# The default value is: YES.
+
+IDL_PROPERTY_SUPPORT   = YES
+
+# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC
+# tag is set to YES then doxygen will reuse the documentation of the first
+# member in the group (if any) for the other members of the group. By default
+# all members of a group must be documented explicitly.
+# The default value is: NO.
+
+DISTRIBUTE_GROUP_DOC   = NO
+
+# If one adds a struct or class to a group and this option is enabled, then also
+# any nested class or struct is added to the same group. By default this option
+# is disabled and one has to add nested compounds explicitly via \ingroup.
+# The default value is: NO.
+
+GROUP_NESTED_COMPOUNDS = NO
+
+# Set the SUBGROUPING tag to YES to allow class member groups of the same type
+# (for instance a group of public functions) to be put as a subgroup of that
+# type (e.g. under the Public Functions section). Set it to NO to prevent
+# subgrouping. Alternatively, this can be done per class using the
+# \nosubgrouping command.
+# The default value is: YES.
+
+SUBGROUPING            = YES
+
+# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and unions
+# are shown inside the group in which they are included (e.g. using \ingroup)
+# instead of on a separate page (for HTML and Man pages) or section (for LaTeX
+# and RTF).
+#
+# Note that this feature does not work in combination with
+# SEPARATE_MEMBER_PAGES.
+# The default value is: NO.
+
+INLINE_GROUPED_CLASSES = NO
+
+# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and unions
+# with only public data fields or simple typedef fields will be shown inline in
+# the documentation of the scope in which they are defined (i.e. file,
+# namespace, or group documentation), provided this scope is documented. If set
+# to NO, structs, classes, and unions are shown on a separate page (for HTML and
+# Man pages) or section (for LaTeX and RTF).
+# The default value is: NO.
+
+INLINE_SIMPLE_STRUCTS  = NO
+
+# When TYPEDEF_HIDES_STRUCT tag is enabled, a typedef of a struct, union, or
+# enum is documented as struct, union, or enum with the name of the typedef. So
+# typedef struct TypeS {} TypeT, will appear in the documentation as a struct
+# with name TypeT. When disabled the typedef will appear as a member of a file,
+# namespace, or class. And the struct will be named TypeS. This can typically be
+# useful for C code in case the coding convention dictates that all compound
+# types are typedef'ed and only the typedef is referenced, never the tag name.
+# The default value is: NO.
+
+TYPEDEF_HIDES_STRUCT   = NO
+
+# The size of the symbol lookup cache can be set using LOOKUP_CACHE_SIZE. This
+# cache is used to resolve symbols given their name and scope. Since this can be
+# an expensive process and often the same symbol appears multiple times in the
+# code, doxygen keeps a cache of pre-resolved symbols. If the cache is too small
+# doxygen will become slower. If the cache is too large, memory is wasted. The
+# cache size is given by this formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range
+# is 0..9, the default is 0, corresponding to a cache size of 2^16=65536
+# symbols. At the end of a run doxygen will report the cache usage and suggest
+# the optimal cache size from a speed point of view.
+# Minimum value: 0, maximum value: 9, default value: 0.
+
+LOOKUP_CACHE_SIZE      = 0
+
+#---------------------------------------------------------------------------
+# Build related configuration options
+#---------------------------------------------------------------------------
+
+# If the EXTRACT_ALL tag is set to YES, doxygen will assume all entities in
+# documentation are documented, even if no documentation was available. Private
+# class members and static file members will be hidden unless the
+# EXTRACT_PRIVATE respectively EXTRACT_STATIC tags are set to YES.
+# Note: This will also disable the warnings about undocumented members that are
+# normally produced when WARNINGS is set to YES.
+# The default value is: NO.
+
+EXTRACT_ALL            = NO
+
+# If the EXTRACT_PRIVATE tag is set to YES, all private members of a class will
+# be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PRIVATE        = NO
+
+# If the EXTRACT_PACKAGE tag is set to YES, all members with package or internal
+# scope will be included in the documentation.
+# The default value is: NO.
+
+EXTRACT_PACKAGE        = NO
+
+# If the EXTRACT_STATIC tag is set to YES, all static members of a file will be
+# included in the documentation.
+# The default value is: NO.
+
+EXTRACT_STATIC         = NO
+
+# If the EXTRACT_LOCAL_CLASSES tag is set to YES, classes (and structs) defined
+# locally in source files will be included in the documentation. If set to NO,
+# only classes defined in header files are included. Does not have any effect
+# for Java sources.
+# The default value is: YES.
+
+EXTRACT_LOCAL_CLASSES  = YES
+
+# This flag is only useful for Objective-C code. If set to YES, local methods,
+# which are defined in the implementation section but not in the interface are
+# included in the documentation. If set to NO, only methods in the interface are
+# included.
+# The default value is: NO.
+
+EXTRACT_LOCAL_METHODS  = NO
+
+# If this flag is set to YES, the members of anonymous namespaces will be
+# extracted and appear in the documentation as a namespace called
+# 'anonymous_namespace{file}', where file will be replaced with the base name of
+# the file that contains the anonymous namespace. By default anonymous namespace
+# are hidden.
+# The default value is: NO.
+
+EXTRACT_ANON_NSPACES   = NO
+
+# If the HIDE_UNDOC_MEMBERS tag is set to YES, doxygen will hide all
+# undocumented members inside documented classes or files. If set to NO these
+# members will be included in the various overviews, but no documentation
+# section is generated. This option has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_MEMBERS     = NO
+
+# If the HIDE_UNDOC_CLASSES tag is set to YES, doxygen will hide all
+# undocumented classes that are normally visible in the class hierarchy. If set
+# to NO, these classes will be included in the various overviews. This option
+# has no effect if EXTRACT_ALL is enabled.
+# The default value is: NO.
+
+HIDE_UNDOC_CLASSES     = NO
+
+# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, doxygen will hide all friend
+# (class|struct|union) declarations. If set to NO, these declarations will be
+# included in the documentation.
+# The default value is: NO.
+
+HIDE_FRIEND_COMPOUNDS  = NO
+
+# If the HIDE_IN_BODY_DOCS tag is set to YES, doxygen will hide any
+# documentation blocks found inside the body of a function. If set to NO, these
+# blocks will be appended to the function's detailed documentation block.
+# The default value is: NO.
+
+HIDE_IN_BODY_DOCS      = NO
+
+# The INTERNAL_DOCS tag determines if documentation that is typed after a
+# \internal command is included. If the tag is set to NO then the documentation
+# will be excluded. Set it to YES to include the internal documentation.
+# The default value is: NO.
+
+INTERNAL_DOCS          = NO
+
+# If the CASE_SENSE_NAMES tag is set to NO then doxygen will only generate file
+# names in lower-case letters. If set to YES, upper-case letters are also
+# allowed. This is useful if you have classes or files whose names only differ
+# in case and if your file system supports case sensitive file names. Windows
+# and Mac users are advised to set this option to NO.
+# The default value is: system dependent.
+
+CASE_SENSE_NAMES       = YES
+
+# If the HIDE_SCOPE_NAMES tag is set to NO then doxygen will show members with
+# their full class and namespace scopes in the documentation. If set to YES, the
+# scope will be hidden.
+# The default value is: NO.
+
+HIDE_SCOPE_NAMES       = NO
+
+# If the HIDE_COMPOUND_REFERENCE tag is set to NO (default) then doxygen will
+# append additional text to a page's title, such as Class Reference. If set to
+# YES the compound reference will be hidden.
+# The default value is: NO.
+
+HIDE_COMPOUND_REFERENCE= NO
+
+# If the SHOW_INCLUDE_FILES tag is set to YES then doxygen will put a list of
+# the files that are included by a file in the documentation of that file.
+# The default value is: YES.
+
+SHOW_INCLUDE_FILES     = YES
+
+# If the SHOW_GROUPED_MEMB_INC tag is set to YES then Doxygen will add for each
+# grouped member an include statement to the documentation, telling the reader
+# which file to include in order to use the member.
+# The default value is: NO.
+
+SHOW_GROUPED_MEMB_INC  = NO
+
+# If the FORCE_LOCAL_INCLUDES tag is set to YES then doxygen will list include
+# files with double quotes in the documentation rather than with sharp brackets.
+# The default value is: NO.
+
+FORCE_LOCAL_INCLUDES   = NO
+
+# If the INLINE_INFO tag is set to YES then a tag [inline] is inserted in the
+# documentation for inline members.
+# The default value is: YES.
+
+INLINE_INFO            = YES
+
+# If the SORT_MEMBER_DOCS tag is set to YES then doxygen will sort the
+# (detailed) documentation of file and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order.
+# The default value is: YES.
+
+SORT_MEMBER_DOCS       = YES
+
+# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the brief
+# descriptions of file, namespace and class members alphabetically by member
+# name. If set to NO, the members will appear in declaration order. Note that
+# this will also influence the order of the classes in the class list.
+# The default value is: NO.
+
+SORT_BRIEF_DOCS        = NO
+
+# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the
+# (brief and detailed) documentation of class members so that constructors and
+# destructors are listed first. If set to NO the constructors will appear in the
+# respective orders defined by SORT_BRIEF_DOCS and SORT_MEMBER_DOCS.
+# Note: If SORT_BRIEF_DOCS is set to NO this option is ignored for sorting brief
+# member documentation.
+# Note: If SORT_MEMBER_DOCS is set to NO this option is ignored for sorting
+# detailed member documentation.
+# The default value is: NO.
+
+SORT_MEMBERS_CTORS_1ST = NO
+
+# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the hierarchy
+# of group names into alphabetical order. If set to NO the group names will
+# appear in their defined order.
+# The default value is: NO.
+
+SORT_GROUP_NAMES       = NO
+
+# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be sorted by
+# fully-qualified names, including namespaces. If set to NO, the class list will
+# be sorted only by class name, not including the namespace part.
+# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
+# Note: This option applies only to the class list, not to the alphabetical
+# list.
+# The default value is: NO.
+
+SORT_BY_SCOPE_NAME     = NO
+
+# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to do proper
+# type resolution of all parameters of a function it will reject a match between
+# the prototype and the implementation of a member function even if there is
+# only one candidate or it is obvious which candidate to choose by doing a
+# simple string match. By disabling STRICT_PROTO_MATCHING doxygen will still
+# accept a match between prototype and implementation in such cases.
+# The default value is: NO.
+
+STRICT_PROTO_MATCHING  = NO
+
+# The GENERATE_TODOLIST tag can be used to enable (YES) or disable (NO) the todo
+# list. This list is created by putting \todo commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TODOLIST      = YES
+
+# The GENERATE_TESTLIST tag can be used to enable (YES) or disable (NO) the test
+# list. This list is created by putting \test commands in the documentation.
+# The default value is: YES.
+
+GENERATE_TESTLIST      = YES
+
+# The GENERATE_BUGLIST tag can be used to enable (YES) or disable (NO) the bug
+# list. This list is created by putting \bug commands in the documentation.
+# The default value is: YES.
+
+GENERATE_BUGLIST       = YES
+
+# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or disable (NO)
+# the deprecated list. This list is created by putting \deprecated commands in
+# the documentation.
+# The default value is: YES.
+
+GENERATE_DEPRECATEDLIST= YES
+
+# The ENABLED_SECTIONS tag can be used to enable conditional documentation
+# sections, marked by \if <section_label> ... \endif and \cond <section_label>
+# ... \endcond blocks.
+
+ENABLED_SECTIONS       =
+
+# The MAX_INITIALIZER_LINES tag determines the maximum number of lines that the
+# initial value of a variable or macro / define can have for it to appear in the
+# documentation. If the initializer consists of more lines than specified here
+# it will be hidden. Use a value of 0 to hide initializers completely. The
+# appearance of the value of individual variables and macros / defines can be
+# controlled using \showinitializer or \hideinitializer command in the
+# documentation regardless of this setting.
+# Minimum value: 0, maximum value: 10000, default value: 30.
+
+MAX_INITIALIZER_LINES  = 30
+
+# Set the SHOW_USED_FILES tag to NO to disable the list of files generated at
+# the bottom of the documentation of classes and structs. If set to YES, the
+# list will mention the files that were used to generate the documentation.
+# The default value is: YES.
+
+SHOW_USED_FILES        = YES
+
+# Set the SHOW_FILES tag to NO to disable the generation of the Files page. This
+# will remove the Files entry from the Quick Index and from the Folder Tree View
+# (if specified).
+# The default value is: YES.
+
+SHOW_FILES             = YES
+
+# Set the SHOW_NAMESPACES tag to NO to disable the generation of the Namespaces
+# page. This will remove the Namespaces entry from the Quick Index and from the
+# Folder Tree View (if specified).
+# The default value is: YES.
+
+SHOW_NAMESPACES        = YES
+
+# The FILE_VERSION_FILTER tag can be used to specify a program or script that
+# doxygen should invoke to get the current version for each file (typically from
+# the version control system). Doxygen will invoke the program by executing (via
+# popen()) the command command input-file, where command is the value of the
+# FILE_VERSION_FILTER tag, and input-file is the name of an input file provided
+# by doxygen. Whatever the program writes to standard output is used as the file
+# version. For an example see the documentation.
+
+FILE_VERSION_FILTER    =
+
+# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed
+# by doxygen. The layout file controls the global structure of the generated
+# output files in an output format independent way. To create the layout file
+# that represents doxygen's defaults, run doxygen with the -l option. You can
+# optionally specify a file name after the option, if omitted DoxygenLayout.xml
+# will be used as the name of the layout file.
+#
+# Note that if you run doxygen from a directory containing a file called
+# DoxygenLayout.xml, doxygen will parse it automatically even if the LAYOUT_FILE
+# tag is left empty.
+
+LAYOUT_FILE            =
+
+# The CITE_BIB_FILES tag can be used to specify one or more bib files containing
+# the reference definitions. This must be a list of .bib files. The .bib
+# extension is automatically appended if omitted. This requires the bibtex tool
+# to be installed. See also http://en.wikipedia.org/wiki/BibTeX for more info.
+# For LaTeX the style of the bibliography can be controlled using
+# LATEX_BIB_STYLE. To use this feature you need bibtex and perl available in the
+# search path. See also \cite for info how to create references.
+
+CITE_BIB_FILES         =
+
+#---------------------------------------------------------------------------
+# Configuration options related to warning and progress messages
+#---------------------------------------------------------------------------
+
+# The QUIET tag can be used to turn on/off the messages that are generated to
+# standard output by doxygen. If QUIET is set to YES this implies that the
+# messages are off.
+# The default value is: NO.
+
+QUIET                  = NO
+
+# The WARNINGS tag can be used to turn on/off the warning messages that are
+# generated to standard error (stderr) by doxygen. If WARNINGS is set to YES
+# this implies that the warnings are on.
+#
+# Tip: Turn warnings on while writing the documentation.
+# The default value is: YES.
+
+WARNINGS               = YES
+
+# If the WARN_IF_UNDOCUMENTED tag is set to YES then doxygen will generate
+# warnings for undocumented members. If EXTRACT_ALL is set to YES then this flag
+# will automatically be disabled.
+# The default value is: YES.
+
+WARN_IF_UNDOCUMENTED   = YES
+
+# If the WARN_IF_DOC_ERROR tag is set to YES, doxygen will generate warnings for
+# potential errors in the documentation, such as not documenting some parameters
+# in a documented function, or documenting parameters that don't exist or using
+# markup commands wrongly.
+# The default value is: YES.
+
+WARN_IF_DOC_ERROR      = YES
+
+# This WARN_NO_PARAMDOC option can be enabled to get warnings for functions that
+# are documented, but have no documentation for their parameters or return
+# value. If set to NO, doxygen will only warn about wrong or incomplete
+# parameter documentation, but not about the absence of documentation.
+# The default value is: NO.
+
+WARN_NO_PARAMDOC       = NO
+
+# If the WARN_AS_ERROR tag is set to YES then doxygen will immediately stop when
+# a warning is encountered.
+# The default value is: NO.
+
+WARN_AS_ERROR          = NO
+
+# The WARN_FORMAT tag determines the format of the warning messages that doxygen
+# can produce. The string should contain the $file, $line, and $text tags, which
+# will be replaced by the file and line number from which the warning originated
+# and the warning text. Optionally the format may contain $version, which will
+# be replaced by the version of the file (if it could be obtained via
+# FILE_VERSION_FILTER)
+# The default value is: $file:$line: $text.
+
+WARN_FORMAT            = "$file:$line: $text"
+
+# The WARN_LOGFILE tag can be used to specify a file to which warning and error
+# messages should be written. If left blank the output is written to standard
+# error (stderr).
+
+WARN_LOGFILE           =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the input files
+#---------------------------------------------------------------------------
+
+# The INPUT tag is used to specify the files and/or directories that contain
+# documented source files. You may enter file names like myfile.cpp or
+# directories like /usr/src/myproject. Separate the files or directories with
+# spaces. See also FILE_PATTERNS and EXTENSION_MAPPING
+# Note: If this tag is empty the current directory is searched.
+
+INPUT                  = "src"
+
+# This tag can be used to specify the character encoding of the source files
+# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
+# libiconv (or the iconv built into libc) for the transcoding. See the libiconv
+# documentation (see: http://www.gnu.org/software/libiconv) for the list of
+# possible encodings.
+# The default value is: UTF-8.
+
+INPUT_ENCODING         = UTF-8
+
+# If the value of the INPUT tag contains directories, you can use the
+# FILE_PATTERNS tag to specify one or more wildcard patterns (like *.cpp and
+# *.h) to filter out the source-files in the directories.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# read by doxygen.
+#
+# If left blank the following patterns are tested:*.c, *.cc, *.cxx, *.cpp,
+# *.c++, *.java, *.ii, *.ixx, *.ipp, *.i++, *.inl, *.idl, *.ddl, *.odl, *.h,
+# *.hh, *.hxx, *.hpp, *.h++, *.cs, *.d, *.php, *.php4, *.php5, *.phtml, *.inc,
+# *.m, *.markdown, *.md, *.mm, *.dox, *.py, *.pyw, *.f90, *.f95, *.f03, *.f08,
+# *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf and *.qsf.
+
+FILE_PATTERNS          = *.c \
+                         *.cc \
+                         *.cxx \
+                         *.cpp \
+                         *.c++ \
+                         *.java \
+                         *.ii \
+                         *.ixx \
+                         *.ipp \
+                         *.i++ \
+                         *.inl \
+                         *.idl \
+                         *.ddl \
+                         *.odl \
+                         *.h \
+                         *.hh \
+                         *.hxx \
+                         *.hpp \
+                         *.h++ \
+                         *.cs \
+                         *.d \
+                         *.php \
+                         *.php4 \
+                         *.php5 \
+                         *.phtml \
+                         *.inc \
+                         *.m \
+                         *.markdown \
+                         *.md \
+                         *.mm \
+                         *.dox \
+                         *.py \
+                         *.pyw \
+                         *.f90 \
+                         *.f95 \
+                         *.f03 \
+                         *.f08 \
+                         *.f \
+                         *.for \
+                         *.tcl \
+                         *.vhd \
+                         *.vhdl \
+                         *.ucf \
+                         *.qsf
+
+# The RECURSIVE tag can be used to specify whether or not subdirectories should
+# be searched for input files as well.
+# The default value is: NO.
+
+RECURSIVE              = NO
+
+# The EXCLUDE tag can be used to specify files and/or directories that should be
+# excluded from the INPUT source files. This way you can easily exclude a
+# subdirectory from a directory tree whose root is specified with the INPUT tag.
+#
+# Note that relative paths are relative to the directory from which doxygen is
+# run.
+
+EXCLUDE                =
+
+# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or
+# directories that are symbolic links (a Unix file system feature) are excluded
+# from the input.
+# The default value is: NO.
+
+EXCLUDE_SYMLINKS       = NO
+
+# If the value of the INPUT tag contains directories, you can use the
+# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude
+# certain files from those directories.
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories for example use the pattern */test/*
+
+EXCLUDE_PATTERNS       =
+
+# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names
+# (namespaces, classes, functions, etc.) that should be excluded from the
+# output. The symbol name can be a fully qualified name, a word, or if the
+# wildcard * is used, a substring. Examples: ANamespace, AClass,
+# AClass::ANamespace, ANamespace::*Test
+#
+# Note that the wildcards are matched against the file with absolute path, so to
+# exclude all test directories use the pattern */test/*
+
+EXCLUDE_SYMBOLS        =
+
+# The EXAMPLE_PATH tag can be used to specify one or more files or directories
+# that contain example code fragments that are included (see the \include
+# command).
+
+EXAMPLE_PATH           =
+
+# If the value of the EXAMPLE_PATH tag contains directories, you can use the
+# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp and
+# *.h) to filter out the source-files in the directories. If left blank all
+# files are included.
+
+EXAMPLE_PATTERNS       = *
+
+# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be
+# searched for input files to be used with the \include or \dontinclude commands
+# irrespective of the value of the RECURSIVE tag.
+# The default value is: NO.
+
+EXAMPLE_RECURSIVE      = NO
+
+# The IMAGE_PATH tag can be used to specify one or more files or directories
+# that contain images that are to be included in the documentation (see the
+# \image command).
+
+IMAGE_PATH             =
+
+# The INPUT_FILTER tag can be used to specify a program that doxygen should
+# invoke to filter for each input file. Doxygen will invoke the filter program
+# by executing (via popen()) the command:
+#
+# <filter> <input-file>
+#
+# where <filter> is the value of the INPUT_FILTER tag, and <input-file> is the
+# name of an input file. Doxygen will then use the output that the filter
+# program writes to standard output. If FILTER_PATTERNS is specified, this tag
+# will be ignored.
+#
+# Note that the filter must not add or remove lines; it is applied before the
+# code is scanned, but not when the output code is generated. If lines are added
+# or removed, the anchors will not be placed correctly.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+INPUT_FILTER           =
+
+# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern
+# basis. Doxygen will compare the file name with each pattern and apply the
+# filter if there is a match. The filters are a list of the form: pattern=filter
+# (like *.cpp=my_cpp_filter). See INPUT_FILTER for further information on how
+# filters are used. If the FILTER_PATTERNS tag is empty or if none of the
+# patterns match the file name, INPUT_FILTER is applied.
+#
+# Note that for custom extensions or not directly supported extensions you also
+# need to set EXTENSION_MAPPING for the extension otherwise the files are not
+# properly processed by doxygen.
+
+FILTER_PATTERNS        =
+
+# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using
+# INPUT_FILTER) will also be used to filter the input files that are used for
+# producing the source files to browse (i.e. when SOURCE_BROWSER is set to YES).
+# The default value is: NO.
+
+FILTER_SOURCE_FILES    = NO
+
+# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file
+# pattern. A pattern will override the setting for FILTER_PATTERN (if any) and
+# it is also possible to disable source filtering for a specific pattern using
+# *.ext= (so without naming a filter).
+# This tag requires that the tag FILTER_SOURCE_
+# FILES is set to YES.
+
+FILTER_SOURCE_PATTERNS =
+
+# If the USE_MDFILE_AS_MAINPAGE tag refers to the name of a markdown file that
+# is part of the input, its contents will be placed on the main page
+# (index.html). This can be useful if you have a project on for instance GitHub
+# and want to reuse the introduction page also for the doxygen output.
+
+USE_MDFILE_AS_MAINPAGE =
+
+#---------------------------------------------------------------------------
+# Configuration options related to source browsing
+#---------------------------------------------------------------------------
+
+# If the SOURCE_BROWSER tag is set to YES then a list of source files will be
+# generated. Documented entities will be cross-referenced with these sources.
+#
+# Note: To get rid of all source code in the generated output, make sure that
+# also VERBATIM_HEADERS is set to NO.
+# The default value is: NO.
+
+SOURCE_BROWSER         = YES
+
+# Setting the INLINE_SOURCES tag to YES will include the body of functions,
+# classes and enums directly into the documentation.
+# The default value is: NO.
+
+INLINE_SOURCES         = NO
+
+# Setting the STRIP_CODE_COMMENTS tag to YES will instruct doxygen to hide any
+# special comment blocks from generated source code fragments. Normal C, C++ and
+# Fortran comments will always remain visible.
+# The default value is: YES.
+
+STRIP_CODE_COMMENTS    = YES
+
+# If the REFERENCED_BY_RELATION tag is set to YES then for each documented
+# function all documented functions referencing it will be listed.
+# The default value is: NO.
+
+REFERENCED_BY_RELATION = NO
+
+# If the REFERENCES_RELATION tag is set to YES then for each documented function
+# all documented entities called/used by that function will be listed.
+# The default value is: NO.
+
+REFERENCES_RELATION    = NO
+
+# If the REFERENCES_LINK_SOURCE tag is set to YES and SOURCE_BROWSER tag is set
+# to YES then the hyperlinks from functions in REFERENCES_RELATION and
+# REFERENCED_BY_RELATION lists will link to the source code. Otherwise they will
+# link to the documentation.
+# The default value is: YES.
+
+REFERENCES_LINK_SOURCE = YES
+
+# If SOURCE_TOOLTIPS is enabled (the default) then hovering a hyperlink in the
+# source code will show a tooltip with additional information such as prototype,
+# brief description and links to the definition and documentation. Since this
+# will make the HTML file larger and loading of large files a bit slower, you
+# can opt to disable this feature.
+# The default value is: YES.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+SOURCE_TOOLTIPS        = YES
+
+# If the USE_HTAGS tag is set to YES then the references to source code will
+# point to the HTML generated by the htags(1) tool instead of doxygen built-in
+# source browser. The htags tool is part of GNU's global source tagging system
+# (see http://www.gnu.org/software/global/global.html). You will need version
+# 4.8.6 or higher.
+#
+# To use it do the following:
+# - Install the latest version of global
+# - Enable SOURCE_BROWSER and USE_HTAGS in the config file
+# - Make sure the INPUT points to the root of the source tree
+# - Run doxygen as normal
+#
+# Doxygen will invoke htags (and that will in turn invoke gtags), so these
+# tools must be available from the command line (i.e. in the search path).
+#
+# The result: instead of the source browser generated by doxygen, the links to
+# source code will now point to the output of htags.
+# The default value is: NO.
+# This tag requires that the tag SOURCE_BROWSER is set to YES.
+
+USE_HTAGS              = NO
+
+# If the VERBATIM_HEADERS tag is set the YES then doxygen will generate a
+# verbatim copy of the header file for each class for which an include is
+# specified. Set to NO to disable this.
+# See also: Section \class.
+# The default value is: YES.
+
+VERBATIM_HEADERS       = YES
+
+# If the CLANG_ASSISTED_PARSING tag is set to YES then doxygen will use the
+# clang parser (see: http://clang.llvm.org/) for more accurate parsing at the
+# cost of reduced performance. This can be particularly helpful with template
+# rich C++ code for which doxygen's built-in parser lacks the necessary type
+# information.
+# Note: The availability of this option depends on whether or not doxygen was
+# generated with the -Duse-libclang=ON option for CMake.
+# The default value is: NO.
+
+CLANG_ASSISTED_PARSING = NO
+
+# If clang assisted parsing is enabled you can provide the compiler with command
+# line options that you would normally use when invoking the compiler. Note that
+# the include paths will already be set by doxygen for the files and directories
+# specified with INPUT and INCLUDE_PATH.
+# This tag requires that the tag CLANG_ASSISTED_PARSING is set to YES.
+
+CLANG_OPTIONS          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the alphabetical class index
+#---------------------------------------------------------------------------
+
+# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index of all
+# compounds will be generated. Enable this if the project contains a lot of
+# classes, structs, unions or interfaces.
+# The default value is: YES.
+
+ALPHABETICAL_INDEX     = YES
+
+# The COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns in
+# which the alphabetical index list will be split.
+# Minimum value: 1, maximum value: 20, default value: 5.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+COLS_IN_ALPHA_INDEX    = 5
+
+# In case all classes in a project start with a common prefix, all classes will
+# be put under the same header in the alphabetical index. The IGNORE_PREFIX tag
+# can be used to specify a prefix (or a list of prefixes) that should be ignored
+# while generating the index headers.
+# This tag requires that the tag ALPHABETICAL_INDEX is set to YES.
+
+IGNORE_PREFIX          =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the HTML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_HTML tag is set to YES, doxygen will generate HTML output
+# The default value is: YES.
+
+GENERATE_HTML          = YES
+
+# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_OUTPUT            = html
+
+# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
+# generated HTML page (for example: .htm, .php, .asp).
+# The default value is: .html.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FILE_EXTENSION    = .html
+
+# The HTML_HEADER tag can be used to specify a user-defined HTML header file for
+# each generated HTML page. If the tag is left blank doxygen will generate a
+# standard header.
+#
+# To get valid HTML the header file that includes any scripts and style sheets
+# that doxygen needs, which is dependent on the configuration options used (e.g.
+# the setting GENERATE_TREEVIEW). It is highly recommended to start with a
+# default header using
+# doxygen -w html new_header.html new_footer.html new_stylesheet.css
+# YourConfigFile
+# and then modify the file new_header.html. See also section "Doxygen usage"
+# for information on how to generate the default header that doxygen normally
+# uses.
+# Note: The header is subject to change so you typically have to regenerate the
+# default header when upgrading to a newer version of doxygen. For a description
+# of the possible markers and block names see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_HEADER            =
+
+# The HTML_FOOTER tag can be used to specify a user-defined HTML footer for each
+# generated HTML page. If the tag is left blank doxygen will generate a standard
+# footer. See HTML_HEADER for more information on how to generate a default
+# footer and what special commands can be used inside the footer. See also
+# section "Doxygen usage" for information on how to generate the default footer
+# that doxygen normally uses.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_FOOTER            =
+
+# The HTML_STYLESHEET tag can be used to specify a user-defined cascading style
+# sheet that is used by each HTML page. It can be used to fine-tune the look of
+# the HTML output. If left blank doxygen will generate a default style sheet.
+# See also section "Doxygen usage" for information on how to generate the style
+# sheet that doxygen normally uses.
+# Note: It is recommended to use HTML_EXTRA_STYLESHEET instead of this tag, as
+# it is more robust and this tag (HTML_STYLESHEET) will in the future become
+# obsolete.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_STYLESHEET        =
+
+# The HTML_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# cascading style sheets that are included after the standard style sheets
+# created by doxygen. Using this option one can overrule certain style aspects.
+# This is preferred over using HTML_STYLESHEET since it does not replace the
+# standard style sheet and is therefore more robust against future updates.
+# Doxygen will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list). For an example see the documentation.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_STYLESHEET  =
+
+# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the HTML output directory. Note
+# that these files will be copied to the base HTML output directory. Use the
+# $relpath^ marker in the HTML_HEADER and/or HTML_FOOTER files to load these
+# files. In the HTML_STYLESHEET file, use the file name only. Also note that the
+# files will be copied as-is; there are no commands or markers available.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_EXTRA_FILES       =
+
+# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen
+# will adjust the colors in the style sheet and background images according to
+# this color. Hue is specified as an angle on a colorwheel, see
+# http://en.wikipedia.org/wiki/Hue for more information. For instance the value
+# 0 represents red, 60 is yellow, 120 is green, 180 is cyan, 240 is blue, 300
+# purple, and 360 is red again.
+# Minimum value: 0, maximum value: 359, default value: 220.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_HUE    = 220
+
+# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of the colors
+# in the HTML output. For a value of 0 the output will use grayscales only. A
+# value of 255 will produce the most vivid colors.
+# Minimum value: 0, maximum value: 255, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_SAT    = 100
+
+# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to the
+# luminance component of the colors in the HTML output. Values below 100
+# gradually make the output lighter, whereas values above 100 make the output
+# darker. The value divided by 100 is the actual gamma applied, so 80 represents
+# a gamma of 0.8, The value 220 represents a gamma of 2.2, and 100 does not
+# change the gamma.
+# Minimum value: 40, maximum value: 240, default value: 80.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_COLORSTYLE_GAMMA  = 80
+
+# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML
+# page will contain the date and time when the page was generated. Setting this
+# to YES can help to show when doxygen was last run and thus if the
+# documentation is up to date.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_TIMESTAMP         = NO
+
+# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML
+# documentation will contain sections that can be hidden and shown after the
+# page has loaded.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_DYNAMIC_SECTIONS  = NO
+
+# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of entries
+# shown in the various tree structured indices initially; the user can expand
+# and collapse entries dynamically later on. Doxygen will expand the tree to
+# such a level that at most the specified number of entries are visible (unless
+# a fully collapsed tree already exceeds this amount). So setting the number of
+# entries 1 will produce a full collapsed tree by default. 0 is a special value
+# representing an infinite number of entries and will result in a full expanded
+# tree by default.
+# Minimum value: 0, maximum value: 9999, default value: 100.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+HTML_INDEX_NUM_ENTRIES = 100
+
+# If the GENERATE_DOCSET tag is set to YES, additional index files will be
+# generated that can be used as input for Apple's Xcode 3 integrated development
+# environment (see: http://developer.apple.com/tools/xcode/), introduced with
+# OSX 10.5 (Leopard). To create a documentation set, doxygen will generate a
+# Makefile in the HTML output directory. Running make will produce the docset in
+# that directory and running make install will install the docset in
+# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find it at
+# startup. See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html
+# for more information.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_DOCSET        = NO
+
+# This tag determines the name of the docset feed. A documentation feed provides
+# an umbrella under which multiple documentation sets from a single provider
+# (such as a company or product suite) can be grouped.
+# The default value is: Doxygen generated docs.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_FEEDNAME        = "Doxygen generated docs"
+
+# This tag specifies a string that should uniquely identify the documentation
+# set bundle. This should be a reverse domain-name style string, e.g.
+# com.mycompany.MyDocSet. Doxygen will append .docset to the name.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_BUNDLE_ID       = org.doxygen.Project
+
+# The DOCSET_PUBLISHER_ID tag specifies a string that should uniquely identify
+# the documentation publisher. This should be a reverse domain-name style
+# string, e.g. com.mycompany.MyDocSet.documentation.
+# The default value is: org.doxygen.Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_ID    = org.doxygen.Publisher
+
+# The DOCSET_PUBLISHER_NAME tag identifies the documentation publisher.
+# The default value is: Publisher.
+# This tag requires that the tag GENERATE_DOCSET is set to YES.
+
+DOCSET_PUBLISHER_NAME  = Publisher
+
+# If the GENERATE_HTMLHELP tag is set to YES then doxygen generates three
+# additional HTML index files: index.hhp, index.hhc, and index.hhk. The
+# index.hhp is a project file that can be read by Microsoft's HTML Help Workshop
+# (see: http://www.microsoft.com/en-us/download/details.aspx?id=21138) on
+# Windows.
+#
+# The HTML Help Workshop contains a compiler that can convert all HTML output
+# generated by doxygen into a single compiled HTML file (.chm). Compiled HTML
+# files are now used as the Windows 98 help format, and will replace the old
+# Windows help format (.hlp) on all Windows platforms in the future. Compressed
+# HTML files also contain an index, a table of contents, and you can search for
+# words in the documentation. The HTML workshop also contains a viewer for
+# compressed HTML files.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_HTMLHELP      = NO
+
+# The CHM_FILE tag can be used to specify the file name of the resulting .chm
+# file. You can add a path in front of the file if the result should not be
+# written to the html output directory.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_FILE               =
+
+# The HHC_LOCATION tag can be used to specify the location (absolute path
+# including file name) of the HTML help compiler (hhc.exe). If non-empty,
+# doxygen will try to run the HTML help compiler on the generated index.hhp.
+# The file has to be specified with full path.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+HHC_LOCATION           =
+
+# The GENERATE_CHI flag controls if a separate .chi index file is generated
+# (YES) or that it should be included in the master .chm file (NO).
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+GENERATE_CHI           = NO
+
+# The CHM_INDEX_ENCODING is used to encode HtmlHelp index (hhk), content (hhc)
+# and project file content.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+CHM_INDEX_ENCODING     =
+
+# The BINARY_TOC flag controls whether a binary table of contents is generated
+# (YES) or a normal table of contents (NO) in the .chm file. Furthermore it
+# enables the Previous and Next buttons.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+BINARY_TOC             = NO
+
+# The TOC_EXPAND flag can be set to YES to add extra items for group members to
+# the table of contents of the HTML help documentation and to the tree view.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTMLHELP is set to YES.
+
+TOC_EXPAND             = NO
+
+# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and
+# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated that
+# can be used as input for Qt's qhelpgenerator to generate a Qt Compressed Help
+# (.qch) of the generated HTML documentation.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_QHP           = NO
+
+# If the QHG_LOCATION tag is specified, the QCH_FILE tag can be used to specify
+# the file name of the resulting .qch file. The path specified is relative to
+# the HTML output folder.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QCH_FILE               =
+
+# The QHP_NAMESPACE tag specifies the namespace to use when generating Qt Help
+# Project output. For more information please see Qt Help Project / Namespace
+# (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#namespace).
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_NAMESPACE          = org.doxygen.Project
+
+# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating Qt
+# Help Project output. For more information please see Qt Help Project / Virtual
+# Folders (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#virtual-
+# folders).
+# The default value is: doc.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_VIRTUAL_FOLDER     = doc
+
+# If the QHP_CUST_FILTER_NAME tag is set, it specifies the name of a custom
+# filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_NAME   =
+
+# The QHP_CUST_FILTER_ATTRS tag specifies the list of the attributes of the
+# custom filter to add. For more information please see Qt Help Project / Custom
+# Filters (see: http://qt-project.org/doc/qt-4.8/qthelpproject.html#custom-
+# filters).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_CUST_FILTER_ATTRS  =
+
+# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this
+# project's filter section matches. Qt Help Project / Filter Attributes (see:
+# http://qt-project.org/doc/qt-4.8/qthelpproject.html#filter-attributes).
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHP_SECT_FILTER_ATTRS  =
+
+# The QHG_LOCATION tag can be used to specify the location of Qt's
+# qhelpgenerator. If non-empty doxygen will try to run qhelpgenerator on the
+# generated .qhp file.
+# This tag requires that the tag GENERATE_QHP is set to YES.
+
+QHG_LOCATION           =
+
+# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files will be
+# generated, together with the HTML files, they form an Eclipse help plugin. To
+# install this plugin and make it available under the help contents menu in
+# Eclipse, the contents of the directory containing the HTML and XML files needs
+# to be copied into the plugins directory of eclipse. The name of the directory
+# within the plugins directory should be the same as the ECLIPSE_DOC_ID value.
+# After copying Eclipse needs to be restarted before the help appears.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_ECLIPSEHELP   = NO
+
+# A unique identifier for the Eclipse help plugin. When installing the plugin
+# the directory name containing the HTML and XML files should also have this
+# name. Each documentation set should have its own identifier.
+# The default value is: org.doxygen.Project.
+# This tag requires that the tag GENERATE_ECLIPSEHELP is set to YES.
+
+ECLIPSE_DOC_ID         = org.doxygen.Project
+
+# If you want full control over the layout of the generated HTML pages it might
+# be necessary to disable the index and replace it with your own. The
+# DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) at top
+# of each HTML page. A value of NO enables the index and the value YES disables
+# it. Since the tabs in the index contain the same information as the navigation
+# tree, you can set this option to YES if you also set GENERATE_TREEVIEW to YES.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+DISABLE_INDEX          = NO
+
+# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index
+# structure should be generated to display hierarchical information. If the tag
+# value is set to YES, a side panel will be generated containing a tree-like
+# index structure (just like the one that is generated for HTML Help). For this
+# to work a browser that supports JavaScript, DHTML, CSS and frames is required
+# (i.e. any modern browser). Windows users are probably better off using the
+# HTML help feature. Via custom style sheets (see HTML_EXTRA_STYLESHEET) one can
+# further fine-tune the look of the index. As an example, the default style
+# sheet generated by doxygen has an example that shows how to put an image at
+# the root of the tree instead of the PROJECT_NAME. Since the tree basically has
+# the same information as the tab index, you could consider setting
+# DISABLE_INDEX to YES when enabling this option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+GENERATE_TREEVIEW      = NO
+
+# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values that
+# doxygen will group on one line in the generated HTML documentation.
+#
+# Note that a value of 0 will completely suppress the enum values from appearing
+# in the overview section.
+# Minimum value: 0, maximum value: 20, default value: 4.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+ENUM_VALUES_PER_LINE   = 4
+
+# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be used
+# to set the initial width (in pixels) of the frame in which the tree is shown.
+# Minimum value: 0, maximum value: 1500, default value: 250.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+TREEVIEW_WIDTH         = 250
+
+# If the EXT_LINKS_IN_WINDOW option is set to YES, doxygen will open links to
+# external symbols imported via tag files in a separate window.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+EXT_LINKS_IN_WINDOW    = NO
+
+# Use this tag to change the font size of LaTeX formulas included as images in
+# the HTML documentation. When you change the font size after a successful
+# doxygen run you need to manually remove any form_*.png images from the HTML
+# output directory to force them to be regenerated.
+# Minimum value: 8, maximum value: 50, default value: 10.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_FONTSIZE       = 10
+
+# Use the FORMULA_TRANPARENT tag to determine whether or not the images
+# generated for formulas are transparent PNGs. Transparent PNGs are not
+# supported properly for IE 6.0, but are supported on all modern browsers.
+#
+# Note that when changing this option you need to delete any form_*.png files in
+# the HTML output directory before the changes have effect.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+FORMULA_TRANSPARENT    = YES
+
+# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax (see
+# http://www.mathjax.org) which uses client side Javascript for the rendering
+# instead of using pre-rendered bitmaps. Use this if you do not have LaTeX
+# installed or if you want to formulas look prettier in the HTML output. When
+# enabled you may also need to install MathJax separately and configure the path
+# to it using the MATHJAX_RELPATH option.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+USE_MATHJAX            = NO
+
+# When MathJax is enabled you can set the default output format to be used for
+# the MathJax output. See the MathJax site (see:
+# http://docs.mathjax.org/en/latest/output.html) for more details.
+# Possible values are: HTML-CSS (which is slower, but has the best
+# compatibility), NativeMML (i.e. MathML) and SVG.
+# The default value is: HTML-CSS.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_FORMAT         = HTML-CSS
+
+# When MathJax is enabled you need to specify the location relative to the HTML
+# output directory using the MATHJAX_RELPATH option. The destination directory
+# should contain the MathJax.js script. For instance, if the mathjax directory
+# is located at the same level as the HTML output directory, then
+# MATHJAX_RELPATH should be ../mathjax. The default value points to the MathJax
+# Content Delivery Network so you can quickly see the result without installing
+# MathJax. However, it is strongly recommended to install a local copy of
+# MathJax from http://www.mathjax.org before deployment.
+# The default value is: http://cdn.mathjax.org/mathjax/latest.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_RELPATH        = http://cdn.mathjax.org/mathjax/latest
+
+# The MATHJAX_EXTENSIONS tag can be used to specify one or more MathJax
+# extension names that should be enabled during MathJax rendering. For example
+# MATHJAX_EXTENSIONS = TeX/AMSmath TeX/AMSsymbols
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_EXTENSIONS     =
+
+# The MATHJAX_CODEFILE tag can be used to specify a file with javascript pieces
+# of code that will be used on startup of the MathJax code. See the MathJax site
+# (see: http://docs.mathjax.org/en/latest/output.html) for more details. For an
+# example see the documentation.
+# This tag requires that the tag USE_MATHJAX is set to YES.
+
+MATHJAX_CODEFILE       =
+
+# When the SEARCHENGINE tag is enabled doxygen will generate a search box for
+# the HTML output. The underlying search engine uses javascript and DHTML and
+# should work on any modern browser. Note that when using HTML help
+# (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets (GENERATE_DOCSET)
+# there is already a search function so this one should typically be disabled.
+# For large projects the javascript based search engine can be slow, then
+# enabling SERVER_BASED_SEARCH may provide a better solution. It is possible to
+# search using the keyboard; to jump to the search box use <access key> + S
+# (what the <access key> is depends on the OS and browser, but it is typically
+# <CTRL>, <ALT>/<option>, or both). Inside the search box use the <cursor down
+# key> to jump into the search results window, the results can be navigated
+# using the <cursor keys>. Press <Enter> to select an item or <escape> to cancel
+# the search. The filter options can be selected when the cursor is inside the
+# search box by pressing <Shift>+<cursor down>. Also here use the <cursor keys>
+# to select a filter and <Enter> or <escape> to activate or cancel the filter
+# option.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_HTML is set to YES.
+
+SEARCHENGINE           = YES
+
+# When the SERVER_BASED_SEARCH tag is enabled the search engine will be
+# implemented using a web server instead of a web client using Javascript. There
+# are two flavors of web server based searching depending on the EXTERNAL_SEARCH
+# setting. When disabled, doxygen will generate a PHP script for searching and
+# an index file used by the script. When EXTERNAL_SEARCH is enabled the indexing
+# and searching needs to be provided by external tools. See the section
+# "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SERVER_BASED_SEARCH    = NO
+
+# When EXTERNAL_SEARCH tag is enabled doxygen will no longer generate the PHP
+# script for searching. Instead the search results are written to an XML file
+# which needs to be processed by an external indexer. Doxygen will invoke an
+# external search engine pointed to by the SEARCHENGINE_URL option to obtain the
+# search results.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/).
+#
+# See the section "External Indexing and Searching" for details.
+# The default value is: NO.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH        = NO
+
+# The SEARCHENGINE_URL should point to a search engine hosted by a web server
+# which will return the search results when EXTERNAL_SEARCH is enabled.
+#
+# Doxygen ships with an example indexer (doxyindexer) and search engine
+# (doxysearch.cgi) which are based on the open source search engine library
+# Xapian (see: http://xapian.org/). See the section "External Indexing and
+# Searching" for details.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHENGINE_URL       =
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed
+# search data is written to a file for indexing by an external tool. With the
+# SEARCHDATA_FILE tag the name of this file can be specified.
+# The default file is: searchdata.xml.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+SEARCHDATA_FILE        = searchdata.xml
+
+# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the
+# EXTERNAL_SEARCH_ID tag can be used as an identifier for the project. This is
+# useful in combination with EXTRA_SEARCH_MAPPINGS to search through multiple
+# projects and redirect the results back to the right project.
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTERNAL_SEARCH_ID     =
+
+# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through doxygen
+# projects other than the one defined by this configuration file, but that are
+# all added to the same external search index. Each project needs to have a
+# unique id set via EXTERNAL_SEARCH_ID. The search mapping then maps the id of
+# to a relative location where the documentation can be found. The format is:
+# EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ...
+# This tag requires that the tag SEARCHENGINE is set to YES.
+
+EXTRA_SEARCH_MAPPINGS  =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the LaTeX output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_LATEX tag is set to YES, doxygen will generate LaTeX output.
+# The default value is: YES.
+
+GENERATE_LATEX         = YES
+
+# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_OUTPUT           = latex
+
+# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be
+# invoked.
+#
+# Note that when enabling USE_PDFLATEX this option is only used for generating
+# bitmaps for formulas in the HTML output, but not in the Makefile that is
+# written to the output directory.
+# The default file is: latex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_CMD_NAME         = latex
+
+# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to generate
+# index for LaTeX.
+# The default file is: makeindex.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+MAKEINDEX_CMD_NAME     = makeindex
+
+# If the COMPACT_LATEX tag is set to YES, doxygen generates more compact LaTeX
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+COMPACT_LATEX          = NO
+
+# The PAPER_TYPE tag can be used to set the paper type that is used by the
+# printer.
+# Possible values are: a4 (210 x 297 mm), letter (8.5 x 11 inches), legal (8.5 x
+# 14 inches) and executive (7.25 x 10.5 inches).
+# The default value is: a4.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PAPER_TYPE             = a4
+
+# The EXTRA_PACKAGES tag can be used to specify one or more LaTeX package names
+# that should be included in the LaTeX output. The package can be specified just
+# by its name or with the correct syntax as to be used with the LaTeX
+# \usepackage command. To get the times font for instance you can specify :
+# EXTRA_PACKAGES=times or EXTRA_PACKAGES={times}
+# To use the option intlimits with the amsmath package you can specify:
+# EXTRA_PACKAGES=[intlimits]{amsmath}
+# If left blank no extra packages will be included.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+EXTRA_PACKAGES         =
+
+# The LATEX_HEADER tag can be used to specify a personal LaTeX header for the
+# generated LaTeX document. The header should contain everything until the first
+# chapter. If it is left blank doxygen will generate a standard header. See
+# section "Doxygen usage" for information on how to let doxygen write the
+# default header to a separate file.
+#
+# Note: Only use a user-defined header if you know what you are doing! The
+# following commands have a special meaning inside the header: $title,
+# $datetime, $date, $doxygenversion, $projectname, $projectnumber,
+# $projectbrief, $projectlogo. Doxygen will replace $title with the empty
+# string, for the replacement values of the other commands the user is referred
+# to HTML_HEADER.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HEADER           =
+
+# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for the
+# generated LaTeX document. The footer should contain everything after the last
+# chapter. If it is left blank doxygen will generate a standard footer. See
+# LATEX_HEADER for more information on how to generate a default footer and what
+# special commands can be used inside the footer.
+#
+# Note: Only use a user-defined footer if you know what you are doing!
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_FOOTER           =
+
+# The LATEX_EXTRA_STYLESHEET tag can be used to specify additional user-defined
+# LaTeX style sheets that are included after the standard style sheets created
+# by doxygen. Using this option one can overrule certain style aspects. Doxygen
+# will copy the style sheet files to the output directory.
+# Note: The order of the extra style sheet files is of importance (e.g. the last
+# style sheet in the list overrules the setting of the previous ones in the
+# list).
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_STYLESHEET =
+
+# The LATEX_EXTRA_FILES tag can be used to specify one or more extra images or
+# other source files which should be copied to the LATEX_OUTPUT output
+# directory. Note that the files will be copied as-is; there are no commands or
+# markers available.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_EXTRA_FILES      =
+
+# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated is
+# prepared for conversion to PDF (using ps2pdf or pdflatex). The PDF file will
+# contain links (just like the HTML output) instead of page references. This
+# makes the output suitable for online browsing using a PDF viewer.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+PDF_HYPERLINKS         = YES
+
+# If the USE_PDFLATEX tag is set to YES, doxygen will use pdflatex to generate
+# the PDF file directly from the LaTeX files. Set this option to YES, to get a
+# higher quality PDF documentation.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+USE_PDFLATEX           = YES
+
+# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \batchmode
+# command to the generated LaTeX files. This will instruct LaTeX to keep running
+# if errors occur, instead of asking the user for help. This option is also used
+# when generating formulas in HTML.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BATCHMODE        = NO
+
+# If the LATEX_HIDE_INDICES tag is set to YES then doxygen will not include the
+# index chapters (such as File Index, Compound Index, etc.) in the output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_HIDE_INDICES     = NO
+
+# If the LATEX_SOURCE_CODE tag is set to YES then doxygen will include source
+# code with syntax highlighting in the LaTeX output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_SOURCE_CODE      = NO
+
+# The LATEX_BIB_STYLE tag can be used to specify the style to use for the
+# bibliography, e.g. plainnat, or ieeetr. See
+# http://en.wikipedia.org/wiki/BibTeX and \cite for more info.
+# The default value is: plain.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_BIB_STYLE        = plain
+
+# If the LATEX_TIMESTAMP tag is set to YES then the footer of each generated
+# page will contain the date and time when the page was generated. Setting this
+# to NO can help when comparing the output of multiple runs.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_LATEX is set to YES.
+
+LATEX_TIMESTAMP        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the RTF output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_RTF tag is set to YES, doxygen will generate RTF output. The
+# RTF output is optimized for Word 97 and may not look too pretty with other RTF
+# readers/editors.
+# The default value is: NO.
+
+GENERATE_RTF           = NO
+
+# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: rtf.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_OUTPUT             = rtf
+
+# If the COMPACT_RTF tag is set to YES, doxygen generates more compact RTF
+# documents. This may be useful for small projects and may help to save some
+# trees in general.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+COMPACT_RTF            = NO
+
+# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated will
+# contain hyperlink fields. The RTF file will contain links (just like the HTML
+# output) instead of page references. This makes the output suitable for online
+# browsing using Word or some other Word compatible readers that support those
+# fields.
+#
+# Note: WordPad (write) and others do not support links.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_HYPERLINKS         = NO
+
+# Load stylesheet definitions from file. Syntax is similar to doxygen's config
+# file, i.e. a series of assignments. You only have to provide replacements,
+# missing definitions are set to their default value.
+#
+# See also section "Doxygen usage" for information on how to generate the
+# default style sheet that doxygen normally uses.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_STYLESHEET_FILE    =
+
+# Set optional variables used in the generation of an RTF document. Syntax is
+# similar to doxygen's config file. A template extensions file can be generated
+# using doxygen -e rtf extensionFile.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_EXTENSIONS_FILE    =
+
+# If the RTF_SOURCE_CODE tag is set to YES then doxygen will include source code
+# with syntax highlighting in the RTF output.
+#
+# Note that which sources are shown also depends on other settings such as
+# SOURCE_BROWSER.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_RTF is set to YES.
+
+RTF_SOURCE_CODE        = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the man page output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_MAN tag is set to YES, doxygen will generate man pages for
+# classes and files.
+# The default value is: NO.
+
+GENERATE_MAN           = NO
+
+# The MAN_OUTPUT tag is used to specify where the man pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it. A directory man3 will be created inside the directory specified by
+# MAN_OUTPUT.
+# The default directory is: man.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_OUTPUT             = man
+
+# The MAN_EXTENSION tag determines the extension that is added to the generated
+# man pages. In case the manual section does not start with a number, the number
+# 3 is prepended. The dot (.) at the beginning of the MAN_EXTENSION tag is
+# optional.
+# The default value is: .3.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_EXTENSION          = .3
+
+# The MAN_SUBDIR tag determines the name of the directory created within
+# MAN_OUTPUT in which the man pages are placed. If defaults to man followed by
+# MAN_EXTENSION with the initial . removed.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_SUBDIR             =
+
+# If the MAN_LINKS tag is set to YES and doxygen generates man output, then it
+# will generate one additional man file for each entity documented in the real
+# man page(s). These additional files only source the real man page, but without
+# them the man command would be unable to find the correct page.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_MAN is set to YES.
+
+MAN_LINKS              = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the XML output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_XML tag is set to YES, doxygen will generate an XML file that
+# captures the structure of the code including all documentation.
+# The default value is: NO.
+
+GENERATE_XML           = NO
+
+# The XML_OUTPUT tag is used to specify where the XML pages will be put. If a
+# relative path is entered the value of OUTPUT_DIRECTORY will be put in front of
+# it.
+# The default directory is: xml.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_OUTPUT             = xml
+
+# If the XML_PROGRAMLISTING tag is set to YES, doxygen will dump the program
+# listings (including syntax highlighting and cross-referencing information) to
+# the XML output. Note that enabling this will significantly increase the size
+# of the XML output.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_XML is set to YES.
+
+XML_PROGRAMLISTING     = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to the DOCBOOK output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_DOCBOOK tag is set to YES, doxygen will generate Docbook files
+# that can be used to generate PDF.
+# The default value is: NO.
+
+GENERATE_DOCBOOK       = NO
+
+# The DOCBOOK_OUTPUT tag is used to specify where the Docbook pages will be put.
+# If a relative path is entered the value of OUTPUT_DIRECTORY will be put in
+# front of it.
+# The default directory is: docbook.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_OUTPUT         = docbook
+
+# If the DOCBOOK_PROGRAMLISTING tag is set to YES, doxygen will include the
+# program listings (including syntax highlighting and cross-referencing
+# information) to the DOCBOOK output. Note that enabling this will significantly
+# increase the size of the DOCBOOK output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_DOCBOOK is set to YES.
+
+DOCBOOK_PROGRAMLISTING = NO
+
+#---------------------------------------------------------------------------
+# Configuration options for the AutoGen Definitions output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_AUTOGEN_DEF tag is set to YES, doxygen will generate an
+# AutoGen Definitions (see http://autogen.sf.net) file that captures the
+# structure of the code including all documentation. Note that this feature is
+# still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_AUTOGEN_DEF   = NO
+
+#---------------------------------------------------------------------------
+# Configuration options related to the Perl module output
+#---------------------------------------------------------------------------
+
+# If the GENERATE_PERLMOD tag is set to YES, doxygen will generate a Perl module
+# file that captures the structure of the code including all documentation.
+#
+# Note that this feature is still experimental and incomplete at the moment.
+# The default value is: NO.
+
+GENERATE_PERLMOD       = NO
+
+# If the PERLMOD_LATEX tag is set to YES, doxygen will generate the necessary
+# Makefile rules, Perl scripts and LaTeX code to be able to generate PDF and DVI
+# output from the Perl module output.
+# The default value is: NO.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_LATEX          = NO
+
+# If the PERLMOD_PRETTY tag is set to YES, the Perl module output will be nicely
+# formatted so it can be parsed by a human reader. This is useful if you want to
+# understand what is going on. On the other hand, if this tag is set to NO, the
+# size of the Perl module output will be much smaller and Perl will parse it
+# just the same.
+# The default value is: YES.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_PRETTY         = YES
+
+# The names of the make variables in the generated doxyrules.make file are
+# prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. This is useful
+# so different doxyrules.make files included by the same Makefile don't
+# overwrite each other's variables.
+# This tag requires that the tag GENERATE_PERLMOD is set to YES.
+
+PERLMOD_MAKEVAR_PREFIX =
+
+#---------------------------------------------------------------------------
+# Configuration options related to the preprocessor
+#---------------------------------------------------------------------------
+
+# If the ENABLE_PREPROCESSING tag is set to YES, doxygen will evaluate all
+# C-preprocessor directives found in the sources and include files.
+# The default value is: YES.
+
+ENABLE_PREPROCESSING   = YES
+
+# If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
+# in the source code. If set to NO, only conditional compilation will be
+# performed. Macro expansion can be done in a controlled way by setting
+# EXPAND_ONLY_PREDEF to YES.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+MACRO_EXPANSION        = NO
+
+# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES then
+# the macro expansion is limited to the macros specified with the PREDEFINED and
+# EXPAND_AS_DEFINED tags.
+# The default value is: NO.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_ONLY_PREDEF     = NO
+
+# If the SEARCH_INCLUDES tag is set to YES, the include files in the
+# INCLUDE_PATH will be searched if a #include is found.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SEARCH_INCLUDES        = YES
+
+# The INCLUDE_PATH tag can be used to specify one or more directories that
+# contain include files that are not input files but should be processed by the
+# preprocessor.
+# This tag requires that the tag SEARCH_INCLUDES is set to YES.
+
+INCLUDE_PATH           =
+
+# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard
+# patterns (like *.h and *.hpp) to filter out the header-files in the
+# directories. If left blank, the patterns specified with FILE_PATTERNS will be
+# used.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+INCLUDE_FILE_PATTERNS  =
+
+# The PREDEFINED tag can be used to specify one or more macro names that are
+# defined before the preprocessor is started (similar to the -D option of e.g.
+# gcc). The argument of the tag is a list of macros of the form: name or
+# name=definition (no spaces). If the definition and the "=" are omitted, "=1"
+# is assumed. To prevent a macro definition from being undefined via #undef or
+# recursively expanded use the := operator instead of the = operator.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+PREDEFINED             =
+
+# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then this
+# tag can be used to specify a list of macro names that should be expanded. The
+# macro definition that is found in the sources will be used. Use the PREDEFINED
+# tag if you want to use a different macro definition that overrules the
+# definition found in the source code.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+EXPAND_AS_DEFINED      =
+
+# If the SKIP_FUNCTION_MACROS tag is set to YES then doxygen's preprocessor will
+# remove all references to function-like macros that are alone on a line, have
+# an all uppercase name, and do not end with a semicolon. Such function macros
+# are typically used for boiler-plate code, and will confuse the parser if not
+# removed.
+# The default value is: YES.
+# This tag requires that the tag ENABLE_PREPROCESSING is set to YES.
+
+SKIP_FUNCTION_MACROS   = YES
+
+#---------------------------------------------------------------------------
+# Configuration options related to external references
+#---------------------------------------------------------------------------
+
+# The TAGFILES tag can be used to specify one or more tag files. For each tag
+# file the location of the external documentation should be added. The format of
+# a tag file without this location is as follows:
+# TAGFILES = file1 file2 ...
+# Adding location for the tag files is done as follows:
+# TAGFILES = file1=loc1 "file2 = loc2" ...
+# where loc1 and loc2 can be relative or absolute paths or URLs. See the
+# section "Linking to external documentation" for more information about the use
+# of tag files.
+# Note: Each tag file must have a unique name (where the name does NOT include
+# the path). If a tag file is not located in the directory in which doxygen is
+# run, you must also specify the path to the tagfile here.
+
+TAGFILES               =
+
+# When a file name is specified after GENERATE_TAGFILE, doxygen will create a
+# tag file that is based on the input files it reads. See section "Linking to
+# external documentation" for more information about the usage of tag files.
+
+GENERATE_TAGFILE       =
+
+# If the ALLEXTERNALS tag is set to YES, all external class will be listed in
+# the class index. If set to NO, only the inherited external classes will be
+# listed.
+# The default value is: NO.
+
+ALLEXTERNALS           = NO
+
+# If the EXTERNAL_GROUPS tag is set to YES, all external groups will be listed
+# in the modules index. If set to NO, only the current project's groups will be
+# listed.
+# The default value is: YES.
+
+EXTERNAL_GROUPS        = YES
+
+# If the EXTERNAL_PAGES tag is set to YES, all external pages will be listed in
+# the related pages index. If set to NO, only the current project's pages will
+# be listed.
+# The default value is: YES.
+
+EXTERNAL_PAGES         = YES
+
+# The PERL_PATH should be the absolute path and name of the perl script
+# interpreter (i.e. the result of 'which perl').
+# The default file (with absolute path) is: /usr/bin/perl.
+
+PERL_PATH              = /usr/bin/perl
+
+#---------------------------------------------------------------------------
+# Configuration options related to the dot tool
+#---------------------------------------------------------------------------
+
+# If the CLASS_DIAGRAMS tag is set to YES, doxygen will generate a class diagram
+# (in HTML and LaTeX) for classes with base or super classes. Setting the tag to
+# NO turns the diagrams off. Note that this option also works with HAVE_DOT
+# disabled, but it is recommended to install and use dot, since it yields more
+# powerful graphs.
+# The default value is: YES.
+
+CLASS_DIAGRAMS         = YES
+
+# You can define message sequence charts within doxygen comments using the \msc
+# command. Doxygen will then run the mscgen tool (see:
+# http://www.mcternan.me.uk/mscgen/)) to produce the chart and insert it in the
+# documentation. The MSCGEN_PATH tag allows you to specify the directory where
+# the mscgen tool resides. If left empty the tool is assumed to be found in the
+# default search path.
+
+MSCGEN_PATH            =
+
+# You can include diagrams made with dia in doxygen documentation. Doxygen will
+# then run dia to produce the diagram and insert it in the documentation. The
+# DIA_PATH tag allows you to specify the directory where the dia binary resides.
+# If left empty dia is assumed to be found in the default search path.
+
+DIA_PATH               =
+
+# If set to YES the inheritance and collaboration graphs will hide inheritance
+# and usage relations if the target is undocumented or is not a class.
+# The default value is: YES.
+
+HIDE_UNDOC_RELATIONS   = YES
+
+# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is
+# available from the path. This tool is part of Graphviz (see:
+# http://www.graphviz.org/), a graph visualization toolkit from AT&T and Lucent
+# Bell Labs. The other options in this section have no effect if this option is
+# set to NO
+# The default value is: YES.
+
+HAVE_DOT               = YES
+
+# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is allowed
+# to run in parallel. When set to 0 doxygen will base this on the number of
+# processors available in the system. You can set it explicitly to a value
+# larger than 0 to get control over the balance between CPU load and processing
+# speed.
+# Minimum value: 0, maximum value: 32, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_NUM_THREADS        = 0
+
+# When you want a differently looking font in the dot files that doxygen
+# generates you can specify the font name using DOT_FONTNAME. You need to make
+# sure dot is able to find the font, which can be done by putting it in a
+# standard location or by setting the DOTFONTPATH environment variable or by
+# setting DOT_FONTPATH to the directory containing the font.
+# The default value is: Helvetica.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTNAME           = Helvetica
+
+# The DOT_FONTSIZE tag can be used to set the size (in points) of the font of
+# dot graphs.
+# Minimum value: 4, maximum value: 24, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTSIZE           = 10
+
+# By default doxygen will tell dot to use the default font as specified with
+# DOT_FONTNAME. If you specify a different font using DOT_FONTNAME you can set
+# the path where dot can find it using this tag.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_FONTPATH           =
+
+# If the CLASS_GRAPH tag is set to YES then doxygen will generate a graph for
+# each documented class showing the direct and indirect inheritance relations.
+# Setting this tag to YES will force the CLASS_DIAGRAMS tag to NO.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CLASS_GRAPH            = YES
+
+# If the COLLABORATION_GRAPH tag is set to YES then doxygen will generate a
+# graph for each documented class showing the direct and indirect implementation
+# dependencies (inheritance, containment, and class references variables) of the
+# class with other documented classes.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+COLLABORATION_GRAPH    = YES
+
+# If the GROUP_GRAPHS tag is set to YES then doxygen will generate a graph for
+# groups, showing the direct groups dependencies.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GROUP_GRAPHS           = YES
+
+# If the UML_LOOK tag is set to YES, doxygen will generate inheritance and
+# collaboration diagrams in a style similar to the OMG's Unified Modeling
+# Language.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LOOK               = NO
+
+# If the UML_LOOK tag is enabled, the fields and methods are shown inside the
+# class node. If there are many fields or methods and many nodes the graph may
+# become too big to be useful. The UML_LIMIT_NUM_FIELDS threshold limits the
+# number of items for each type to make the size more manageable. Set this to 0
+# for no limit. Note that the threshold may be exceeded by 50% before the limit
+# is enforced. So when you set the threshold to 10, up to 15 fields may appear,
+# but if the number exceeds 15, the total amount of fields shown is limited to
+# 10.
+# Minimum value: 0, maximum value: 100, default value: 10.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+UML_LIMIT_NUM_FIELDS   = 10
+
+# If the TEMPLATE_RELATIONS tag is set to YES then the inheritance and
+# collaboration graphs will show the relations between templates and their
+# instances.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+TEMPLATE_RELATIONS     = NO
+
+# If the INCLUDE_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are set to
+# YES then doxygen will generate a graph for each documented file showing the
+# direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDE_GRAPH          = YES
+
+# If the INCLUDED_BY_GRAPH, ENABLE_PREPROCESSING and SEARCH_INCLUDES tags are
+# set to YES then doxygen will generate a graph for each documented file showing
+# the direct and indirect include dependencies of the file with other documented
+# files.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INCLUDED_BY_GRAPH      = YES
+
+# If the CALL_GRAPH tag is set to YES then doxygen will generate a call
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable call graphs for selected
+# functions only using the \callgraph command. Disabling a call graph can be
+# accomplished by means of the command \hidecallgraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALL_GRAPH             = YES
+
+# If the CALLER_GRAPH tag is set to YES then doxygen will generate a caller
+# dependency graph for every global function or class method.
+#
+# Note that enabling this option will significantly increase the time of a run.
+# So in most cases it will be better to enable caller graphs for selected
+# functions only using the \callergraph command. Disabling a caller graph can be
+# accomplished by means of the command \hidecallergraph.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+CALLER_GRAPH           = YES
+
+# If the GRAPHICAL_HIERARCHY tag is set to YES then doxygen will graphical
+# hierarchy of all classes instead of a textual one.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GRAPHICAL_HIERARCHY    = YES
+
+# If the DIRECTORY_GRAPH tag is set to YES then doxygen will show the
+# dependencies a directory has on other directories in a graphical way. The
+# dependency relations are determined by the #include relations between the
+# files in the directories.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DIRECTORY_GRAPH        = YES
+
+# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images
+# generated by dot. For an explanation of the image formats see the section
+# output formats in the documentation of the dot tool (Graphviz (see:
+# http://www.graphviz.org/)).
+# Note: If you choose svg you need to set HTML_FILE_EXTENSION to xhtml in order
+# to make the SVG files visible in IE 9+ (other browsers do not have this
+# requirement).
+# Possible values are: png, png:cairo, png:cairo:cairo, png:cairo:gd, png:gd,
+# png:gd:gd, jpg, jpg:cairo, jpg:cairo:gd, jpg:gd, jpg:gd:gd, gif, gif:cairo,
+# gif:cairo:gd, gif:gd, gif:gd:gd, svg, png:gd, png:gd:gd, png:cairo,
+# png:cairo:gd, png:cairo:cairo, png:cairo:gdiplus, png:gdiplus and
+# png:gdiplus:gdiplus.
+# The default value is: png.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_IMAGE_FORMAT       = png
+
+# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
+# enable generation of interactive SVG images that allow zooming and panning.
+#
+# Note that this requires a modern browser other than Internet Explorer. Tested
+# and working are Firefox, Chrome, Safari, and Opera.
+# Note: For IE 9+ you need to set HTML_FILE_EXTENSION to xhtml in order to make
+# the SVG files visible. Older versions of IE do not have SVG support.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+INTERACTIVE_SVG        = NO
+
+# The DOT_PATH tag can be used to specify the path where the dot tool can be
+# found. If left blank, it is assumed the dot tool can be found in the path.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_PATH               =
+
+# The DOTFILE_DIRS tag can be used to specify one or more directories that
+# contain dot files that are included in the documentation (see the \dotfile
+# command).
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOTFILE_DIRS           =
+
+# The MSCFILE_DIRS tag can be used to specify one or more directories that
+# contain msc files that are included in the documentation (see the \mscfile
+# command).
+
+MSCFILE_DIRS           =
+
+# The DIAFILE_DIRS tag can be used to specify one or more directories that
+# contain dia files that are included in the documentation (see the \diafile
+# command).
+
+DIAFILE_DIRS           =
+
+# When using plantuml, the PLANTUML_JAR_PATH tag should be used to specify the
+# path where java can find the plantuml.jar file. If left blank, it is assumed
+# PlantUML is not used or called during a preprocessing step. Doxygen will
+# generate a warning when it encounters a \startuml command in this case and
+# will not generate output for the diagram.
+
+PLANTUML_JAR_PATH      =
+
+# When using plantuml, the PLANTUML_CFG_FILE tag can be used to specify a
+# configuration file for plantuml.
+
+PLANTUML_CFG_FILE      =
+
+# When using plantuml, the specified paths are searched for files specified by
+# the !include statement in a plantuml block.
+
+PLANTUML_INCLUDE_PATH  =
+
+# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of nodes
+# that will be shown in the graph. If the number of nodes in a graph becomes
+# larger than this value, doxygen will truncate the graph, which is visualized
+# by representing a node as a red box. Note that doxygen if the number of direct
+# children of the root node in a graph is already larger than
+# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note that
+# the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH.
+# Minimum value: 0, maximum value: 10000, default value: 50.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_GRAPH_MAX_NODES    = 50
+
+# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the graphs
+# generated by dot. A depth value of 3 means that only nodes reachable from the
+# root by following a path via at most 3 edges will be shown. Nodes that lay
+# further from the root node will be omitted. Note that setting this option to 1
+# or 2 may greatly reduce the computation time needed for large code bases. Also
+# note that the size of a graph can be further restricted by
+# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction.
+# Minimum value: 0, maximum value: 1000, default value: 0.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+MAX_DOT_GRAPH_DEPTH    = 0
+
+# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent
+# background. This is disabled by default, because dot on Windows does not seem
+# to support this out of the box.
+#
+# Warning: Depending on the platform used, enabling this option may lead to
+# badly anti-aliased labels on the edges of a graph (i.e. they become hard to
+# read).
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_TRANSPARENT        = NO
+
+# Set the DOT_MULTI_TARGETS tag to YES to allow dot to generate multiple output
+# files in one run (i.e. multiple -o and -T options on the command line). This
+# makes dot run faster, but since only newer versions of dot (>1.8.10) support
+# this, this feature is disabled by default.
+# The default value is: NO.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_MULTI_TARGETS      = NO
+
+# If the GENERATE_LEGEND tag is set to YES doxygen will generate a legend page
+# explaining the meaning of the various boxes and arrows in the dot generated
+# graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+GENERATE_LEGEND        = YES
+
+# If the DOT_CLEANUP tag is set to YES, doxygen will remove the intermediate dot
+# files that are used to generate the various graphs.
+# The default value is: YES.
+# This tag requires that the tag HAVE_DOT is set to YES.
+
+DOT_CLEANUP            = YES
diff --git a/src/libnftables.c b/src/libnftables.c
index 1abe077..dbbc340 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -7,6 +7,38 @@
  *
  */
 
+/**
+ *  \defgroup libnftables libnftables
+ *
+ *  libnftables is a high level nftables library that is meant to
+ *  be useful for frontend to nftables.
+ *
+ *  The synopsis of the library for a basic usage is the following
+ *
+ *  ```C
+ *	// init once the library cache
+ *	nft_global_init();
+ *	// create the nftables context
+ *	nft = nft_context_new();
+ *	// now you can run nftables commands
+ *	rc = nft_run_command_from_buffer(nft, CMD, sizeof(CMD));
+ *	if (rc != NFT_EXIT_SUCCESS) {
+ *		// use the following function to get errors
+ *		nft_get_error(nft, err_buf, sizeof(err_buf));
+ *		printf("%s\n", err_buf);
+ *		return -1;
+ *	}
+ *	// once you're done with the context, free allocated ressources
+ *	nft_context_free(nft);
+ *	// call deinit when you will not need anymore the library
+ *	nft_global_deinit();
+ *  ```
+ *  The library can be used to \ref run_commands "run commands" and has support
+ *  for \ref batch "batched commands".
+ *
+ *  @{
+ */
+
 #include <string.h>
 #include <errno.h>
 #include <nftables.h>
@@ -32,6 +64,12 @@ unsigned int debug_level;
 
 const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
 
+/**
+ * Init cache structure.
+ *
+ * This needs to be called once by process to do the initialization
+ * phase of some structures.
+ */
 void nft_global_init(void)
 {
 	mark_table_init();
@@ -45,6 +83,11 @@ void nft_global_init(void)
 #endif
 }
 
+/**
+ * Deinit global structures
+ *
+ * To be called once before exiting the nftables tasks
+ */
 void nft_global_deinit(void)
 {
 	iface_cache_release();
@@ -55,6 +98,15 @@ void nft_global_deinit(void)
 	mark_table_exit();
 }
 
+/**
+ * Set number of consecutive errors to handle
+ *
+ * This can be useful if you send complex command to nftables
+ * and want to debug it but it causes memory leak.
+ *
+ * \param errors number of errors message to queue
+ * \return NFT_EXIT_SUCCESS if success NFT_EXIT_FAILURE if not
+ */
 int nft_global_set_max_errors(unsigned int errors)
 {
 	max_errors = errors;
@@ -72,6 +124,11 @@ static int nft_print(void *ctx, const char *fmt, ...)
 	return 0;
 } 
 
+/**
+ * Allocate a nftables context
+ *
+ * \return a struct nft_ctx or NULL in case of error
+ */
 struct nft_ctx *nft_context_new(void)
 {
 	struct nft_ctx *ctx = NULL;
@@ -90,6 +147,16 @@ struct nft_ctx *nft_context_new(void)
 	return ctx;
 }
 
+/**
+ * Set print function for your application
+ *
+ * Command such as `list ruleset` can trigger an output. This function
+ * allows you to define which function should be used.
+ *
+ * \param nft a initialized struct nft_ctx
+ * \param print a print function
+ * \param ctx a pointer that will be passed as first argument of print function call
+ */
 void nft_context_set_print_func(struct nft_ctx *nft,
 				int (*print)(void *ctx, const char *fmt, ...),
 				void *ctx)
@@ -100,6 +167,11 @@ void nft_context_set_print_func(struct nft_ctx *nft,
 	}
 }
 
+/**
+ * Free a nftables context
+ *
+ * \param nft a struct nft_ctx to be freed
+ */
 void nft_context_free(struct nft_ctx *nft)
 {
 	if (nft == NULL)
@@ -118,7 +190,7 @@ static const struct input_descriptor indesc_cmdline = {
 /**
  * Get current errors and write them in provided buffer
  *
- * \return NFT_EXIT_SUCCESS if error, NFT_EXIT_FAILURE if error
+ * \return NFT_EXIT_SUCCESS if there is error, NFT_EXIT_FAILURE if no error available
  */
 int nft_get_error(struct nft_ctx *nft, char *err_buf, size_t err_buf_len)
 {
@@ -131,6 +203,37 @@ int nft_get_error(struct nft_ctx *nft, char *err_buf, size_t err_buf_len)
 	return NFT_EXIT_SUCCESS;
 }
 
+
+/**
+ * \defgroup run_commands Run nftables commands
+ *
+ * Once a nftables context has been initialized with nft_context_new()
+ * it is possible to run nftables commands via the following
+ * functions:
+ * * nft_run_command_from_buffer(): run command from a buffer
+ * * nft_run_command_from_filename(): run commands contained in a filename
+ *
+ * It is also possible to run multiple commands via \ref batch
+ *
+ * @{
+ */
+
+/**
+ * Run nftables command contained in provided buffer
+ *
+ * This function accept nft command with the same syntax
+ * as `nft` in interactive mode. For instance, this is a valid
+ * command if your ruleset has a `filter output` chain:
+ *
+ * ```C
+ * char ADD[] = "add rule filter output counter drop";
+ * ```
+ *
+ * \param nft a pointer to a initialized struct nft_ctx
+ * \param buf buffer containing the command to execute
+ * \param buflen the length of the buffer
+ * \return NFT_EXIT_SUCCESS if success NFT_EXIT_FAILURE if not
+ */
 int nft_run_command_from_buffer(struct nft_ctx *nft,
 				char *buf, size_t buflen)
 {
@@ -150,6 +253,26 @@ int nft_run_command_from_buffer(struct nft_ctx *nft,
 	return rc;
 }
 
+/**
+ * Run all nftables commands contained in a file
+ *
+ * This function provides away to programmatically get an equivalent
+ * of the `-f` option of `nft`. For instance
+ * For instance, this is a valid content for a file
+ * if your ruleset has a `filter output` chain:
+ *
+ * ```
+ *	table filter {
+ *		chain output {
+ *			counter drop
+ *		}
+ *	}
+ * ```
+ *
+ * \param nft a pointer to a initialized struct nft_ctx
+ * \param filename path to the file containing  nft rules
+ * \return NFT_EXIT_SUCCESS if success NFT_EXIT_FAILURE if not
+ */
 int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename)
 {
 	int rc = NFT_EXIT_SUCCESS;
@@ -172,6 +295,63 @@ int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename)
 	return rc;
 }
 
+/**
+ * @}
+ */
+
+/**
+ * \defgroup batch Batch support
+ *
+ * Nftables supports batch or transsaction. It is possible to prepare
+ * multiple commands and then run it at once. If one of the commands fails
+ * then the complete set of commands is not added to the firewall ruleset.
+ *
+ * libnftables support transaction and the synopsis of the usage it the
+ * following:
+ * * create a transaction with nft_batch_start()
+ * * add command to the batch with nft_batch_add()
+ * * commit the batch to kernel with nft_batch_commit()
+ *
+ * The following example code shows how to use it:
+ *
+ * ```C
+ *      char ADD1[] = "add rule nat postrouting ip saddr 1.2.3.4 masquerade";
+ *      char ADD2[] = "add rule filter forward ip saddr 1.2.3.4 accept";
+ *	// start a batch using an existing nftables context
+ *	batch = nft_batch_start(nft);
+ *	// add first command to the batch
+ *	if (nft_batch_add(nft, batch, ADD1, strlen(ADD1)) != NFT_EXIT_SUCCESS) {
+ *		// standard error handling
+ *		nft_get_error(nft, err_buf, sizeof(err_buf));
+ *		printf("%s\n", err_buf);
+ *		// free the batch
+ *		nft_batch_free(batch);
+ *		return -1;
+ *	}
+ *	// add second command
+ *	if (nft_batch_add(nft, batch, ADD2, strlen(ADD2)) != NFT_EXIT_SUCCESS) {
+ *		// error handling
+ *		nft_batch_free(batch);
+ *		return -1;
+ *	}
+ *	// send this batch of two commands to kernel and get result
+ *	ret = nft_batch_commit(nft, batch);
+ *	if (ret != 0) {
+ *		// error handling
+ *		nft_batch_free(batch);
+ *		return -1;
+ *	}
+ * ```
+ *
+ *  @{
+ */
+
+/**
+ * Start a batch
+ *
+ * \param nft a pointer to an initalized struct nft_ctx
+ * \return a pointer to an allocated and initialized struct nft_batch or NULL if error
+ */
 struct nft_batch *nft_batch_start(struct nft_ctx *nft)
 {
 	uint32_t seqnum;
@@ -198,6 +378,15 @@ struct nft_batch *nft_batch_start(struct nft_ctx *nft)
 	return batch;
 }
 
+/**
+ * Add a command to an already created batch
+ *
+ * \param nft nftables context initialized with nft_context_new()
+ * \param batch nftables batch initialized with nft_batch_start()
+ * \param buf buffer with command to execute
+ * \param buflen length of buffer string
+ * \return NFT_EXIT_SUCCESS in case of success or NFT_EXIT_FAILURE
+ */
 int nft_batch_add(struct nft_ctx *nft, struct nft_batch *batch,
 		  const char * buf, size_t buflen)
 {
@@ -236,6 +425,13 @@ err1:
 	return rc;
 }
 
+/**
+ * Commit a batch to the kernel
+ *
+ * \param nft nftables context initialized with nft_context_new()
+ * \param batch nftables batch with commands added via nft_batch_add()
+ * \return NFT_EXIT_SUCCESS in case of success or NFT_EXIT_FAILURE
+ */
 int nft_batch_commit(struct nft_ctx *nft, struct nft_batch *batch)
 {
 	int ret = 0;
@@ -264,6 +460,11 @@ out:
 	return ret;
 }
 
+/**
+ * Free ressources allocated to a batch
+ *
+ * \param batch nftables batch initialized with nft_batch_start()
+ */
 void nft_batch_free(struct nft_batch *batch)
 {
 	if (batch == NULL)
@@ -271,3 +472,11 @@ void nft_batch_free(struct nft_batch *batch)
 	mnl_batch_reset(batch->batch);
 	xfree(batch);
 }
+
+/**
+ * @}
+ */
+
+/**
+ * @}
+ */
-- 
2.14.1

Re: [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk

[Pablo Neira Ayuso]

Hi Eric,

On Sat, Aug 19, 2017 at 05:24:03PM +0200, Eric Leblond wrote:
> If one of the command is failing we should return an error.

Is this fixing up a real issue or it is something you need in a follow
up patch?

Thanks!

> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  src/mnl.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/src/mnl.c b/src/mnl.c
> index b0f5191..661ecbc 100644
> --- a/src/mnl.c
> +++ b/src/mnl.c
> @@ -245,6 +245,7 @@ static ssize_t mnl_nft_socket_sendmsg(const struct mnl_socket *nl,
>  
>  int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
>  {
> +	int rc = 0;
>  	struct mnl_socket *nl = ctx->nf_sock;
>  	int ret, fd = mnl_socket_get_fd(nl), portid = mnl_socket_get_portid(nl);
>  	char rcv_buf[MNL_SOCKET_BUFFER_SIZE];
> @@ -275,8 +276,10 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
>  
>  		ret = mnl_cb_run(rcv_buf, ret, 0, portid, &netlink_echo_callback, ctx);
>  		/* Continue on error, make sure we get all acknowledgments */
> -		if (ret == -1)
> +		if (ret == -1) {
>  			mnl_err_list_node_add(err_list, errno, nlh->nlmsg_seq);
> +			rc = -1;
> +		}
>  
>  		ret = select(fd+1, &readfds, NULL, NULL, &tv);
>  		if (ret == -1)
> @@ -285,7 +288,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
>  		FD_ZERO(&readfds);
>  		FD_SET(fd, &readfds);
>  	}
> -	return ret;
> +	return rc;
>  }
>  
>  int mnl_nft_rule_batch_add(struct nftnl_rule *nlr, struct nftnl_batch *batch,
> -- 
> 2.14.1
> 

Re: [PATH nft v2 02/18] erec: add function to free list

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:04PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>

Please, add description, even if it's just a oneliner.

[...]
> diff --git a/src/erec.c b/src/erec.c
> index 439add9..f454d34 100644
> --- a/src/erec.c
> +++ b/src/erec.c
> @@ -213,6 +213,16 @@ void erec_print_list(FILE *f, struct list_head *list)
>  	}
>  }
>  
> +void erec_free_list(struct list_head *list)
> +{
> +	struct error_record *erec, *next;
> +
> +	list_for_each_entry_safe(erec, next, list, list) {
> +		list_del(&erec->list);
> +		erec_destroy(erec);
> +	}
> +}

There is no first user of this function in the codebase yet?

Re: [PATH nft v2 04/18] libnftables: add context new and free

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:06PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/nftables.h          |  1 +
>  include/nftables/nftables.h |  3 +++
>  src/libnftables.c           | 20 ++++++++++++++++++++
>  src/main.c                  | 29 ++++++++++++++---------------
>  4 files changed, 38 insertions(+), 15 deletions(-)
> 
> diff --git a/include/nftables.h b/include/nftables.h
> index a457aba..717af37 100644
> --- a/include/nftables.h
> +++ b/include/nftables.h
> @@ -35,6 +35,7 @@ struct output_ctx {
>  struct nft_ctx {
>  	struct output_ctx	output;
>  	bool			check;
> +	struct mnl_socket	*nf_sock;
>  };
>  
>  struct nft_cache {
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index 4ba16f0..cfa60fe 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -17,4 +17,7 @@
>  void nft_global_init(void);
>  void nft_global_deinit(void);
>  
> +struct nft_ctx *nft_context_new(void);
> +void nft_context_free(struct nft_ctx *nft);
> +
>  #endif
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 215179a..6756c0f 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -51,3 +51,23 @@ void nft_global_deinit(void)
>  	realm_table_meta_exit();
>  	mark_table_exit();
>  }
> +
> +struct nft_ctx *nft_context_new(void)
> +{
> +	struct nft_ctx *ctx = NULL;
> +	ctx = calloc(1, sizeof(struct nft_ctx));
> +	if (ctx == NULL)
> +		return NULL;
> +	ctx->nf_sock = netlink_open_sock();

I would prefer we keep the 'struct mnl_socket' away from the context
structure.

If we want to support monitor mode, that is something I would like to
support too, then we have to expose this netlink descriptor since
event handling is usually trickier.

Please, don't tell me that we can expose the socket file descriptor
though some nft_ctx_get_fd()... Then, we may have to expose toggle for
O_CLOEXEC in socket() and whatever new details that gets added to
netlink.

In the past, looking at libnfnetlink and other libnetfilter_*, hidding
the netlink file descriptor - and netlink details in general - was a
design decision.

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:07PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/nftables/nftables.h |  3 +++
>  src/libnftables.c           | 26 +++++++++++++++++++++++++-
>  src/main.c                  | 19 ++++++++-----------
>  3 files changed, 36 insertions(+), 12 deletions(-)
> 
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index cfa60fe..63150ba 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -20,4 +20,7 @@ void nft_global_deinit(void);
>  struct nft_ctx *nft_context_new(void);
>  void nft_context_free(struct nft_ctx *nft);
>  
> +int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
> +				char *buf, size_t buflen);

Can we probably have something like:

nft_import_from_buffer(ctx, ...)
nft_import_from_file(ctx, ...)

That initializes the context structure. Then, a generic:

nft_run(ctx)

I suggest you make a patch to add these to nftables in first place.
I mean, just send a patch that adds these functions as static to
src/main.c to start with it. Just as a cleanup to prepare thing, we
can integrate this asap meanwhile we keep discussing library details,
so we reduce the size/burden of your patchset as we iterate over it.
To integrate things more quickly.

Thanks.

Re: [PATH nft v2 08/18] libnftables: add missing variables to library

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:10PM +0200, Eric Leblond wrote:
> This patch also avoids double definition of global vars.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  src/libnftables.c | 2 ++
>  src/main.c        | 6 ------
>  2 files changed, 2 insertions(+), 6 deletions(-)
> 
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 446ec1e..28f9272 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -33,6 +33,8 @@ unsigned int handle_output;
>  unsigned int debug_level;
>  #endif
>  
> +const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };

Would you send an initial patch to place this in nft_ctx?

Otherwise, we can probably tell Varsha - Outreachy to do this for you.

>  void nft_global_init(void)
>  {
>  	mark_table_init();
> diff --git a/src/main.c b/src/main.c
> index 9b4e450..7ab01b7 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -29,12 +29,6 @@
>  #include <iface.h>
>  #include <cli.h>
>  
> -unsigned int max_errors = 10;
> -#ifdef DEBUG
> -unsigned int debug_level;
> -#endif

These are being removed here, so I guess this is a leftover from
previous patch.

Anyway, I think these are candidates for the ctx object too, let me
have a look if I can send you a quick patch to sort out this.

> -const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
>  static unsigned int num_include_paths = 1;
>  
>  enum opt_vals {
> -- 
> 2.14.1
> 

Re: [PATH nft v2 10/18] libnftables: add a nft_cache to nft_ctx

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:12PM +0200, Eric Leblond wrote:
> Hide this structure from the user, this allows simplify the simple
> functions by just providing easy and meaningfull arguments.

I'm fine with placing the cache into nft_ctx. You can send an upfront
initial patch to do this that I would ack asap.

More comments below.

> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/cli.h               |  2 +-
>  include/nftables.h          | 13 +++++++------
>  include/nftables/nftables.h |  5 ++---
>  src/cli.c                   | 10 ++++++++--
>  src/libnftables.c           | 19 +++++++++++--------
>  src/main.c                  | 11 +++--------
>  6 files changed, 32 insertions(+), 28 deletions(-)
> 
> diff --git a/include/cli.h b/include/cli.h
> index e577400..899c8a6 100644
> --- a/include/cli.h
> +++ b/include/cli.h
> @@ -6,7 +6,7 @@
>  struct parser_state;
>  #ifdef HAVE_LIBREADLINE
>  extern int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
> -		    struct nft_cache *cache, struct parser_state *state);
> +		    struct parser_state *state);
>  #else
>  static inline int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
>  			   struct nft_cache *cache, struct parser_state *state)

cli_init footprint is not updated, this will break compilation with no
HAVE_LIBREADLINE.

> diff --git a/include/nftables.h b/include/nftables.h
> index aad204e..348fbb0 100644
> --- a/include/nftables.h
> +++ b/include/nftables.h
> @@ -32,18 +32,19 @@ struct output_ctx {
>  	unsigned int echo;
>  };
>  
> -struct nft_ctx {
> -	struct output_ctx	output;
> -	bool			check;
> -	struct mnl_socket	*nf_sock;
> -};
> -
>  struct nft_cache {
>  	bool			initialized;
>  	struct list_head	list;
>  	uint32_t		seqnum;
>  };
>  
> +struct nft_ctx {
> +	struct output_ctx	output;
> +	bool			check;
> +	struct mnl_socket	*nf_sock;
> +	struct nft_cache	cache;
> +};
> +
>  extern unsigned int max_errors;
>  extern unsigned int debug_level;
>  extern const char *include_paths[INCLUDE_PATHS_MAX];
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index 20a062c..b902cbd 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -27,9 +27,8 @@ void nft_global_deinit(void);
>  struct nft_ctx *nft_context_new(void);
>  void nft_context_free(struct nft_ctx *nft);
>  
> -int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
> +int nft_run_command_from_buffer(struct nft_ctx *nft,
>  				char *buf, size_t buflen);
> -int nft_run_command_from_filename(struct nft_ctx *nft, struct nft_cache *cache,
> -				  const char *filename);
> +int nft_run_command_from_filename(struct nft_ctx *nft, const char *filename);
>  
>  #endif
> diff --git a/src/cli.c b/src/cli.c
> index 7501b29..fd5c7b7 100644
> --- a/src/cli.c
> +++ b/src/cli.c
> @@ -177,13 +177,17 @@ void __fmtstring(1, 0) cli_display(const char *fmt, va_list ap)
>  }
>  
>  int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
> -	     struct nft_cache *cache, struct parser_state *_state)
> +	     struct parser_state *_state)
>  {
>  	const char *home;
> +	struct nft_cache cache;
> +
> +	memset(&cache, 0, sizeof(cache));
> +	init_list_head(&cache.list);
>  
>  	cli_nf_sock = nf_sock;
>  	cli_nft = *nft;
> -	cli_cache = cache;
> +	cli_cache = &cache;
>  	rl_readline_name = "nft";
>  	rl_instream  = stdin;
>  	rl_outstream = stdout;
> @@ -204,6 +208,8 @@ int cli_init(struct nft_ctx *nft, struct mnl_socket *nf_sock,
>  
>  	while (!eof)
>  		rl_callback_read_char();
> +
> +	cache_release(&cache);
>  	return 0;
>  }
>  
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 28f9272..19d539c 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -63,7 +63,10 @@ struct nft_ctx *nft_context_new(void)
>  	ctx = calloc(1, sizeof(struct nft_ctx));
>  	if (ctx == NULL)
>  		return NULL;
> +
> +	memset(ctx, 0, sizeof(*ctx));

memset() a calloc() memory area? Not needed.

>  	ctx->nf_sock = netlink_open_sock();
> +	init_list_head(&ctx->cache.list);

Cleanup: It would be good to add a cache_init() function probably.

>  	return ctx;
>  }
> @@ -74,6 +77,7 @@ void nft_context_free(struct nft_ctx *nft)
>  	if (nft == NULL)
>  		return;
>  	netlink_close_sock(nft->nf_sock);
> +	cache_release(&nft->cache);
>  	xfree(nft);
>  }
>  
> @@ -82,7 +86,7 @@ static const struct input_descriptor indesc_cmdline = {
>  	.name	= "<cmdline>",
>  };
>  
> -int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
> +int nft_run_command_from_buffer(struct nft_ctx *nft,
>  				char *buf, size_t buflen)
>  {
>  	int rc = NFT_EXIT_SUCCESS;
> @@ -90,11 +94,11 @@ int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
>  	LIST_HEAD(msgs);
>  	void *scanner;
>  
> -	parser_init(nft->nf_sock, cache, &state, &msgs);
> +	parser_init(nft->nf_sock, &nft->cache, &state, &msgs);
>  	scanner = scanner_init(&state);
>  	scanner_push_buffer(scanner, &indesc_cmdline, buf);
>  		
        ^^^^^^^^

Comestic: There is an empty line here above with an indent.

Re: [PATH nft v2 11/18] libnftables: move iface_cache_release to deinit

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:13PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  src/libnftables.c | 1 +
>  src/main.c        | 1 -
>  2 files changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 19d539c..2228156 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -50,6 +50,7 @@ void nft_global_init(void)
>  
>  void nft_global_deinit(void)
>  {
> +	iface_cache_release();

Is this a leftover?

With git interactive rebase you can move this patch where it belongs
and squash it to original.

>  	ct_label_table_exit();
>  	realm_table_rt_exit();
>  	devgroup_table_exit();
> diff --git a/src/main.c b/src/main.c
> index 2cb7e6f..08d77d0 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -307,7 +307,6 @@ int main(int argc, char * const *argv)
>  
>  out:
>  	xfree(buf);
> -	iface_cache_release();
>  	nft_context_free(nft);
>  	nft_global_deinit();
>  
> -- 
> 2.14.1
> 

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:17PM +0200, Eric Leblond wrote:
> As memory handling is defficient if we don't do so, we can't really
> use a non 1 value for the parameter in the library due to memory
> leak.
> 
> Also this is not a real issue as programmatically a user of the
> library should only encounter one error at a time.
> 
> This patch also introduces a function that can be used to modify
> the max_errors parameter. It is used in main to keep the existing
> behavior.
> 
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/nftables/nftables.h | 1 +
>  src/libnftables.c           | 8 +++++++-
>  src/main.c                  | 1 +
>  3 files changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index 2ddb38a..f419884 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -22,6 +22,7 @@ enum nftables_exit_codes {
>  };
>  
>  void nft_global_init(void);
> +int nft_global_set_max_errors(unsigned int errors);
>  void nft_global_deinit(void);
>  
>  struct nft_ctx *nft_context_new(void);
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 61ed4e5..15345ae 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -25,7 +25,7 @@
>  #include <fcntl.h>
>  
>  
> -unsigned int max_errors = 10;
> +unsigned int max_errors = 1;

This is defeating all the work I've done - both in netlink and in
userspace - in the past to allow printing several errors in one go. So
you likely understand I'm reticent to take this as is :-)

I remember you mentioned there's a problem with memory in the parser.
I would help to fix this, I'd appreciate if you can describe the
problem so we can address it here.

Thanks!

Re: [PATH nft v2 17/18] libnftables: suppress unused global variables

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:19PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  src/libnftables.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/src/libnftables.c b/src/libnftables.c
> index b1df916..1abe077 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -26,9 +26,6 @@
>  
>  
>  unsigned int max_errors = 1;
> -unsigned int numeric_output;
> -unsigned int ip2name_output;
> -unsigned int handle_output;

I guess these slipped through in the constant rebases I'm triggering
with my preparation patches, sorry about that.

I guess it should be possible to get rid of this in the next
submission by amending the patch that adds the library.

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Pablo Neira Ayuso]

On Mon, Aug 21, 2017 at 10:23:44AM +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 19, 2017 at 05:24:07PM +0200, Eric Leblond wrote:
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  include/nftables/nftables.h |  3 +++
> >  src/libnftables.c           | 26 +++++++++++++++++++++++++-
> >  src/main.c                  | 19 ++++++++-----------
> >  3 files changed, 36 insertions(+), 12 deletions(-)
> > 
> > diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> > index cfa60fe..63150ba 100644
> > --- a/include/nftables/nftables.h
> > +++ b/include/nftables/nftables.h
> > @@ -20,4 +20,7 @@ void nft_global_deinit(void);
> >  struct nft_ctx *nft_context_new(void);
> >  void nft_context_free(struct nft_ctx *nft);
> >  
> > +int nft_run_command_from_buffer(struct nft_ctx *nft, struct nft_cache *cache,
> > +				char *buf, size_t buflen);
> 
> Can we probably have something like:
> 
> nft_import_from_buffer(ctx, ...)
> nft_import_from_file(ctx, ...)
> 
> That initializes the context structure. Then, a generic:
> 
> nft_run(ctx)
> 
> I suggest you make a patch to add these to nftables in first place.
> I mean, just send a patch that adds these functions as static to
> src/main.c to start with it. Just as a cleanup to prepare thing, we
> can integrate this asap meanwhile we keep discussing library details,
> so we reduce the size/burden of your patchset as we iterate over it.
> To integrate things more quickly.

Actually, every nft_import_xyz() would just provide the batch support
we need, ie. it should be possible to call nft_import_xyz() several
times before we call nft_run().

The nft_import_xyz() calls would to the scanner, parsing and
evaluation phases.

The nft_run(nlsock, ...) would just push this into the kernel - so
this function would be wrapping the netlink layer handling...

I would say this nft_run() become nft_compile() instead and we take
the underneath netlink codebase to do the handling away from this...

Otherwise, we will have to add branches to deal with non-blocking IO.

Then, at some point to start looking like libnl... and that is not
good ;-)

I can help with preparation patches, let's just agree on what needs to
be done so we don't overlap each other.

Thanks!

Re: [PATCH nft v2 00/18] introducing libnftables

[Pablo Neira Ayuso]

Hi Eric,

First off, I appreciate the time you took to work on this.

On Sat, Aug 19, 2017 at 05:24:02PM +0200, Eric Leblond wrote:
> 
> Hello,
> 
> This patchset is the second version of libnftables introduction patchset.
> It addresses some remarks by Phil Sutter. Other remarks as said on the ML
> are in fact TODO points that can be adressed later.
> 
> This patchset also fixes issues with error handling and adds documentation
> in doxygen format. An output is available here if you wanna have a look:
>  http://home.regit.org/~regit/libnftables/html/group__libnftables.html

This is now a smaller patchset that the one that you posted in
previous NFWS for nftables-0.5, so I think we're giving the right
steps towards the library.

> The first two patches are a bugfix and a helper function that is needed
> for the library:
>  * [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk
>  * [PATH nft v2 02/18] erec: add function to free list
> 
> As mentioned by Arturo, this is not meant to be added into nftables v0.8 but
> it is a good candidate for early introduction in the branch as soon as the
> v0.8 release is done. 
> 
> I did not managed to incorporate some suggestions done privately by Pablo. For
> instance there is an nf_sock in the struct nft_ctx. I did not change any
> existing internal so it is still possible to do it as incremental patches.

I'd rather do the other way around... Let's agree on what preparation
patches need to get in, then submit a final patch to expose the
library API and documentation.

Please, we shouldn't assume noone is going to consider this API
unstable once we push it upstream...

And I really don't know / I can't forecast what resources we will have
here to work / fix things before this go public... so worst case can
that we take X years to fix remaining issues...

Please, no need to rush.

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Eric Leblond]

Hi,

On Mon, 2017-08-21 at 10:45 +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 21, 2017 at 10:23:44AM +0200, Pablo Neira Ayuso wrote:
> > On Sat, Aug 19, 2017 at 05:24:07PM +0200, Eric Leblond wrote:
> > > Signed-off-by: Eric Leblond <eric@regit.org>
> > > ---
> > >  include/nftables/nftables.h |  3 +++
> > >  src/libnftables.c           | 26 +++++++++++++++++++++++++-
> > >  src/main.c                  | 19 ++++++++-----------
> > >  3 files changed, 36 insertions(+), 12 deletions(-)
> > > 
> > > diff --git a/include/nftables/nftables.h
> > > b/include/nftables/nftables.h
> > > index cfa60fe..63150ba 100644
> > > --- a/include/nftables/nftables.h
> > > +++ b/include/nftables/nftables.h
> > > @@ -20,4 +20,7 @@ void nft_global_deinit(void);
> > >  struct nft_ctx *nft_context_new(void);
> > >  void nft_context_free(struct nft_ctx *nft);
> > >  
> > > +int nft_run_command_from_buffer(struct nft_ctx *nft, struct
> > > nft_cache *cache,
> > > +				char *buf, size_t buflen);
> > 
> > Can we probably have something like:
> > 
> > nft_import_from_buffer(ctx, ...)
> > nft_import_from_file(ctx, ...)
> > 
> > That initializes the context structure. Then, a generic:
> > 
> > nft_run(ctx)
> > 
> > I suggest you make a patch to add these to nftables in first place.
> > I mean, just send a patch that adds these functions as static to
> > src/main.c to start with it. Just as a cleanup to prepare thing, we
> > can integrate this asap meanwhile we keep discussing library
> > details,
> > so we reduce the size/burden of your patchset as we iterate over
> > it.
> > To integrate things more quickly.
> 
> Actually, every nft_import_xyz() would just provide the batch support
> we need, ie. it should be possible to call nft_import_xyz() several
> times before we call nft_run().
> 
> The nft_import_xyz() calls would to the scanner, parsing and
> evaluation phases.
> 
> The nft_run(nlsock, ...) would just push this into the kernel - so
> this function would be wrapping the netlink layer handling...

I like the idea to hide the batch inside nft_import function. But I
still don't like the idea of having the user handling 2 things (nft_ctx
and netlink socket) to be able to send a simple command to the kernel.

I understand your problem with netlink handling. What I would suggest
is to add a flag to nft_context_new function so user can specify "I'm
handling the nf socket".

Then we can have something like

nft_commit(context, ...)

OR for advanced users:

nft_run(nf_sock, context, ...) 

I don't like the naming but I think you get the idea.

> I would say this nft_run() become nft_compile() instead and we take
> the underneath netlink codebase to do the handling away from this...
> 
> Otherwise, we will have to add branches to deal with non-blocking IO.
> 
> Then, at some point to start looking like libnl... and that is not
> good ;-)
> 
> I can help with preparation patches, let's just agree on what needs
> to
> be done so we don't overlap each other.

OK sure, I'm busy at work and I'm gonna answers to your other mails
tonight. And then come to you to see how we can share the load.  

++
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Pablo Neira Ayuso]

On Mon, Aug 21, 2017 at 11:06:19AM +0200, Eric Leblond wrote:
> Hi,
> 
> On Mon, 2017-08-21 at 10:45 +0200, Pablo Neira Ayuso wrote:
> > On Mon, Aug 21, 2017 at 10:23:44AM +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Aug 19, 2017 at 05:24:07PM +0200, Eric Leblond wrote:
> > > > Signed-off-by: Eric Leblond <eric@regit.org>
> > > > ---
> > > >  include/nftables/nftables.h |  3 +++
> > > >  src/libnftables.c           | 26 +++++++++++++++++++++++++-
> > > >  src/main.c                  | 19 ++++++++-----------
> > > >  3 files changed, 36 insertions(+), 12 deletions(-)
> > > > 
> > > > diff --git a/include/nftables/nftables.h
> > > > b/include/nftables/nftables.h
> > > > index cfa60fe..63150ba 100644
> > > > --- a/include/nftables/nftables.h
> > > > +++ b/include/nftables/nftables.h
> > > > @@ -20,4 +20,7 @@ void nft_global_deinit(void);
> > > >  struct nft_ctx *nft_context_new(void);
> > > >  void nft_context_free(struct nft_ctx *nft);
> > > >  
> > > > +int nft_run_command_from_buffer(struct nft_ctx *nft, struct
> > > > nft_cache *cache,
> > > > +				char *buf, size_t buflen);
> > > 
> > > Can we probably have something like:
> > > 
> > > nft_import_from_buffer(ctx, ...)
> > > nft_import_from_file(ctx, ...)
> > > 
> > > That initializes the context structure. Then, a generic:
> > > 
> > > nft_run(ctx)
> > > 
> > > I suggest you make a patch to add these to nftables in first place.
> > > I mean, just send a patch that adds these functions as static to
> > > src/main.c to start with it. Just as a cleanup to prepare thing, we
> > > can integrate this asap meanwhile we keep discussing library
> > > details,
> > > so we reduce the size/burden of your patchset as we iterate over
> > > it.
> > > To integrate things more quickly.
> > 
> > Actually, every nft_import_xyz() would just provide the batch support
> > we need, ie. it should be possible to call nft_import_xyz() several
> > times before we call nft_run().
> > 
> > The nft_import_xyz() calls would to the scanner, parsing and
> > evaluation phases.
> > 
> > The nft_run(nlsock, ...) would just push this into the kernel - so
> > this function would be wrapping the netlink layer handling...
> 
> I like the idea to hide the batch inside nft_import function. But I
> still don't like the idea of having the user handling 2 things (nft_ctx
> and netlink socket) to be able to send a simple command to the kernel.
> 
> I understand your problem with netlink handling. What I would suggest
> is to add a flag to nft_context_new function so user can specify "I'm
> handling the nf socket".
>
> Then we can have something like
> 
> nft_commit(context, ...)
> 
> OR for advanced users:
> 
> nft_run(nf_sock, context, ...) 
> 
> I don't like the naming but I think you get the idea.

I'm fine if you want to provide a 'shortcut' function that does it all
in one go, but it should be a composite of the _advanced functions_.

In a nutshell: we provide a simple API for people that don't want to
deal with IO at all, that's good. Then, an API that allows people to
deal with IO themselves - advanced stuff. Simple API functions would
be made of composites of the advance ones.

Everytime I see IO hidding underneath layers of abstractions, it just
means problems. In terms of maintainance, you end up with complex
codebase with lots of switches/toggles that users can turn on and off,
then the library code needs to handle all of those combinations...

If the IO logic is placed on the side of client for advanced stuff, we
simply don't have to maintain all that complexity. At least, until it
is proven that some specific IO handling is good enough to be
generalized to be placed in the library.

So we expose a simple API that does it all in one shot for people that
don't care about netlink, but you have to promise me it will always
stay simple forever. No room to extend the _simple API_ with
flags/knobs that users can turn on/off to slightly change the
behaviour in some aspect, OK? :-)

Re: [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk

[Eric Leblond]

Hi,

On Mon, 2017-08-21 at 10:10 +0200, Pablo Neira Ayuso wrote:
> Hi Eric,
> 
> On Sat, Aug 19, 2017 at 05:24:03PM +0200, Eric Leblond wrote:
> > If one of the command is failing we should return an error.
> 
> Is this fixing up a real issue or it is something you need in a
> follow
> up patch?

Not really for current users of the function. But I think but it is an
issue as the result of the function is success even when it fails.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATH nft v2 08/18] libnftables: add missing variables to library

[Eric Leblond]

Hello,

On Mon, 2017-08-21 at 10:27 +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 19, 2017 at 05:24:10PM +0200, Eric Leblond wrote:
> > This patch also avoids double definition of global vars.
> > 
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  src/libnftables.c | 2 ++
> >  src/main.c        | 6 ------
> >  2 files changed, 2 insertions(+), 6 deletions(-)
> > 
> > diff --git a/src/libnftables.c b/src/libnftables.c
> > index 446ec1e..28f9272 100644
> > --- a/src/libnftables.c
> > +++ b/src/libnftables.c
> > @@ -33,6 +33,8 @@ unsigned int handle_output;
> >  unsigned int debug_level;
> >  #endif
> >  
> > +const char *include_paths[INCLUDE_PATHS_MAX] = {
> > DEFAULT_INCLUDE_PATH };
> 
> Would you send an initial patch to place this in nft_ctx?
> 
> Otherwise, we can probably tell Varsha - Outreachy to do this for
> you.

I'm really fine with Varsha taking it!

> 
> >  void nft_global_init(void)
> >  {
> >  	mark_table_init();
> > diff --git a/src/main.c b/src/main.c
> > index 9b4e450..7ab01b7 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @@ -29,12 +29,6 @@
> >  #include <iface.h>
> >  #include <cli.h>
> >  
> > -unsigned int max_errors = 10;
> > -#ifdef DEBUG
> > -unsigned int debug_level;
> > -#endif
> 
> These are being removed here, so I guess this is a leftover from
> previous patch.
> 
> Anyway, I think these are candidates for the ctx object too, let me
> have a look if I can send you a quick patch to sort out this.

OK perfect.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Eric Leblond]

Hi,

On Mon, 2017-08-21 at 10:37 +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 19, 2017 at 05:24:17PM +0200, Eric Leblond wrote:
> > As memory handling is defficient if we don't do so, we can't really
> > use a non 1 value for the parameter in the library due to memory
> > leak.
> > 
> > Also this is not a real issue as programmatically a user of the
> > library should only encounter one error at a time.
> > 
> > This patch also introduces a function that can be used to modify
> > the max_errors parameter. It is used in main to keep the existing
> > behavior.
> > 
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  include/nftables/nftables.h | 1 +
> >  src/libnftables.c           | 8 +++++++-
> >  src/main.c                  | 1 +
> >  3 files changed, 9 insertions(+), 1 deletion(-)
> > 
> > diff --git a/include/nftables/nftables.h
> > b/include/nftables/nftables.h
> > index 2ddb38a..f419884 100644
> > --- a/include/nftables/nftables.h
> > +++ b/include/nftables/nftables.h
> > @@ -22,6 +22,7 @@ enum nftables_exit_codes {
> >  };
> >  
> >  void nft_global_init(void);
> > +int nft_global_set_max_errors(unsigned int errors);
> >  void nft_global_deinit(void);
> >  
> >  struct nft_ctx *nft_context_new(void);
> > diff --git a/src/libnftables.c b/src/libnftables.c
> > index 61ed4e5..15345ae 100644
> > --- a/src/libnftables.c
> > +++ b/src/libnftables.c
> > @@ -25,7 +25,7 @@
> >  #include <fcntl.h>
> >  
> >  
> > -unsigned int max_errors = 10;
> > +unsigned int max_errors = 1;
> 
> This is defeating all the work I've done - both in netlink and in
> userspace - in the past to allow printing several errors in one go.
> So
> you likely understand I'm reticent to take this as is :-)

For sure, I was just trying to get you excited so you decide to cook a
patch fixing this :P

> I remember you mentioned there's a problem with memory in the parser.
> I would help to fix this, I'd appreciate if you can describe the
> problem so we can address it here.

Here it my understanding: the max_errors system is causing the parser
to continue instead of failing or finishing. As a result the internal
memory releasing functions of bison are not called due to the
intermediate state. At the end, in case of task with n errors, all 0
... n-1 state are left unfreed when the parsing is finished.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Eric Leblond]

Hi,

On Mon, 2017-08-21 at 11:44 +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 21, 2017 at 11:06:19AM +0200, Eric Leblond wrote:
> > Hi,
> > 
> > On Mon, 2017-08-21 at 10:45 +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Aug 21, 2017 at 10:23:44AM +0200, Pablo Neira Ayuso
> > > wrote:
> > > > On Sat, Aug 19, 2017 at 05:24:07PM +0200, Eric Leblond wrote:
> > > > > Signed-off-by: Eric Leblond <eric@regit.org>
> > > > > ---
> > > > >  include/nftables/nftables.h |  3 +++
> > > > >  src/libnftables.c           | 26 +++++++++++++++++++++++++-
> > > > >  src/main.c                  | 19 ++++++++-----------
> > > > >  3 files changed, 36 insertions(+), 12 deletions(-)
> > > > > 
> > > > > diff --git a/include/nftables/nftables.h
> > > > > b/include/nftables/nftables.h
> > > > > index cfa60fe..63150ba 100644
> > > > > --- a/include/nftables/nftables.h
> > > > > +++ b/include/nftables/nftables.h
> > > > > @@ -20,4 +20,7 @@ void nft_global_deinit(void);
> > > > >  struct nft_ctx *nft_context_new(void);
> > > > >  void nft_context_free(struct nft_ctx *nft);
> > > > >  
> > > > > +int nft_run_command_from_buffer(struct nft_ctx *nft, struct
> > > > > nft_cache *cache,
> > > > > +				char *buf, size_t buflen);
> > > > 
> > > > Can we probably have something like:
> > > > 
> > > > nft_import_from_buffer(ctx, ...)
> > > > nft_import_from_file(ctx, ...)
> > > > 
> > > > That initializes the context structure. Then, a generic:
> > > > 
> > > > nft_run(ctx)
> > > > 
> > > > I suggest you make a patch to add these to nftables in first
> > > > place.
> > > > I mean, just send a patch that adds these functions as static
> > > > to
> > > > src/main.c to start with it. Just as a cleanup to prepare
> > > > thing, we
> > > > can integrate this asap meanwhile we keep discussing library
> > > > details,
> > > > so we reduce the size/burden of your patchset as we iterate
> > > > over
> > > > it.
> > > > To integrate things more quickly.
> > > 
> > > Actually, every nft_import_xyz() would just provide the batch
> > > support
> > > we need, ie. it should be possible to call nft_import_xyz()
> > > several
> > > times before we call nft_run().
> > > 
> > > The nft_import_xyz() calls would to the scanner, parsing and
> > > evaluation phases.
> > > 
> > > The nft_run(nlsock, ...) would just push this into the kernel -
> > > so
> > > this function would be wrapping the netlink layer handling...
> > 
> > I like the idea to hide the batch inside nft_import function. But I
> > still don't like the idea of having the user handling 2 things
> > (nft_ctx
> > and netlink socket) to be able to send a simple command to the
> > kernel.
> > 
> > I understand your problem with netlink handling. What I would
> > suggest
> > is to add a flag to nft_context_new function so user can specify
> > "I'm
> > handling the nf socket".
> > 
> > Then we can have something like
> > 
> > nft_commit(context, ...)
> > 
> > OR for advanced users:
> > 
> > nft_run(nf_sock, context, ...) 
> > 
> > I don't like the naming but I think you get the idea.
> 
> I'm fine if you want to provide a 'shortcut' function that does it
> all
> in one go, but it should be a composite of the _advanced functions_.
> 
> In a nutshell: we provide a simple API for people that don't want to
> deal with IO at all, that's good. Then, an API that allows people to
> deal with IO themselves - advanced stuff. Simple API functions would
> be made of composites of the advance ones.

OK, I'm good with this approach and it will please the "I'm afraid of
netlink" club ;)

> Everytime I see IO hidding underneath layers of abstractions, it just
> means problems. In terms of maintainance, you end up with complex
> codebase with lots of switches/toggles that users can turn on and
> off,
> then the library code needs to handle all of those combinations...
> 
> If the IO logic is placed on the side of client for advanced stuff,
> we
> simply don't have to maintain all that complexity. At least, until it
> is proven that some specific IO handling is good enough to be
> generalized to be placed in the library.
> 
> So we expose a simple API that does it all in one shot for people
> that
> don't care about netlink, but you have to promise me it will always
> stay simple forever. No room to extend the _simple API_ with
> flags/knobs that users can turn on/off to slightly change the
> behaviour in some aspect, OK? :-)

I think we can all have as a guideline for libnftables that all
advanced things are going to the advanced functions. The simple
functions must provide something appealing in term of features but have
to remain really simple.

This make me think I still don't know how to deal with sets. I'm not
planning to work on it but I think it is a feature that should be
available in the simple functions. But we are dealing with possibly
complex object so this can be really messy.

BR,
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATCH nft v2 00/18] introducing libnftables

[Eric Leblond]

Hi,

On Mon, 2017-08-21 at 10:55 +0200, Pablo Neira Ayuso wrote:
> Hi Eric,
> 
> First off, I appreciate the time you took to work on this.

Thanks :)
> 
> On Sat, Aug 19, 2017 at 05:24:02PM +0200, Eric Leblond wrote:
> > 
> > Hello,
> > 
> > This patchset is the second version of libnftables introduction
> > patchset.
> > It addresses some remarks by Phil Sutter. Other remarks as said on
> > the ML
> > are in fact TODO points that can be adressed later.
> > 
> > This patchset also fixes issues with error handling and adds
> > documentation
> > in doxygen format. An output is available here if you wanna have a
> > look:
> >  http://home.regit.org/~regit/libnftables/html/group__libnftables.h
> > tml
> 
> This is now a smaller patchset that the one that you posted in
> previous NFWS for nftables-0.5, so I think we're giving the right
> steps towards the library.

Yes, the preparation work that has been done combined with the fact I
had to rewrite everything did help to get something cleaner and
smaller.

> 
> > The first two patches are a bugfix and a helper function that is
> > needed
> > for the library:
> >  * [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk
> >  * [PATH nft v2 02/18] erec: add function to free list
> > 
> > As mentioned by Arturo, this is not meant to be added into nftables
> > v0.8 but
> > it is a good candidate for early introduction in the branch as soon
> > as the
> > v0.8 release is done. 
> > 
> > I did not managed to incorporate some suggestions done privately by
> > Pablo. For
> > instance there is an nf_sock in the struct nft_ctx. I did not
> > change any
> > existing internal so it is still possible to do it as incremental
> > patches.
> 
> I'd rather do the other way around... Let's agree on what preparation
> patches need to get in, then submit a final patch to expose the
> library API and documentation.

I see possible issues. Let's take for instance latest work by Florian
on tcpmss. It is add new call to printf so this would be something to
rework. And experience in redoing the work I already done for this
patchset is that it can be really painful. On another side, the change
introduces some complexity and this would be painful to handle that for
nothing if the library is not available.


> Please, we shouldn't assume noone is going to consider this API
> unstable once we push it upstream...

Well, being provocative I would say that if we add a define with
version of the API that would be enough. And if we tag something
experimental, I won't feel guilty to change it later. If we claim it
stable that is another story and we have a responsibility.

> And I really don't know / I can't forecast what resources we will
> have
> here to work / fix things before this go public... so worst case can
> that we take X years to fix remaining issues...

Code needs to be fixed but libnftables is already useful even if
lacking the set handling. It would be sad not to use it relatively
fast.

++
-- 
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Pablo Neira Ayuso]

On Mon, Aug 21, 2017 at 09:21:06PM +0200, Eric Leblond wrote:
> On Mon, 2017-08-21 at 11:44 +0200, Pablo Neira Ayuso wrote:
> > On Mon, Aug 21, 2017 at 11:06:19AM +0200, Eric Leblond wrote:
[...]
> > In a nutshell: we provide a simple API for people that don't want to
> > deal with IO at all, that's good. Then, an API that allows people to
> > deal with IO themselves - advanced stuff. Simple API functions would
> > be made of composites of the advance ones.
> 
> OK, I'm good with this approach and it will please the "I'm afraid of
> netlink" club ;)

OK, so we agree on the API policy then.

[...]
> I think we can all have as a guideline for libnftables that all
> advanced things are going to the advanced functions. The simple
> functions must provide something appealing in term of features but have
> to remain really simple.

Fine with it.

> This make me think I still don't know how to deal with sets. I'm not
> planning to work on it but I think it is a feature that should be
> available in the simple functions. But we are dealing with possibly
> complex object so this can be really messy.

What's your concern with sets?

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Phil Sutter]

Hi,

On Mon, Aug 21, 2017 at 09:12:49PM +0200, Eric Leblond wrote:
> On Mon, 2017-08-21 at 10:37 +0200, Pablo Neira Ayuso wrote:
> > On Sat, Aug 19, 2017 at 05:24:17PM +0200, Eric Leblond wrote:
[...]
> > I remember you mentioned there's a problem with memory in the parser.
> > I would help to fix this, I'd appreciate if you can describe the
> > problem so we can address it here.
> 
> Here it my understanding: the max_errors system is causing the parser
> to continue instead of failing or finishing. As a result the internal
> memory releasing functions of bison are not called due to the
> intermediate state. At the end, in case of task with n errors, all 0
> ... n-1 state are left unfreed when the parsing is finished.

I'm currently trying to reproduce the issue by calling 'nft -f' with a
rule set file containing a number of errors, but somehow valgrind
doesn't show differences between max_errors of 1 and 10. Do you have a
test case or some instructions how to trigger the problem?

Thanks, Phil

Re: [PATCH nft v2 00/18] introducing libnftables

[Pablo Neira Ayuso]

On Mon, Aug 21, 2017 at 11:42:45PM +0200, Eric Leblond wrote:
[...]
> I see possible issues. Let's take for instance latest work by Florian
> on tcpmss. It is add new call to printf so this would be something to
> rework. And experience in redoing the work I already done for this
> patchset is that it can be really painful.

That's why I'm asking you please send incremental preparation patches
that we can quickly upstream, so everyone keeps flying fast... we
reduce chances of clashes/time wasted in rebases...

Or at least, if you're getting very upset with me :), then just help us
identify what needs to be fixed, as you did with the max_errors thing -
a major problem in my opinion, because it cripples multi-error
reporting...

Regarding API, my conclusion is:

* Let's get rid of the nft_init()/nft_deinit() functions and place
  this code in the nft context structure.

* Split scanner + parser + evaluation from netlink IO. Of course, you
  can provide a composite function that does it all as we agreed, for
  people that just want to save the fork()+exec().

You also mentioned a problem/open issue with sets that I still don't
understand.

There's also monitor mode that we need to integrate, or at least,
agree on how this is exposed.

There's a few more globals we can remove:

nftables$ git grep "^static.*;"
src/cli.c:static struct parser_state *state;
src/cli.c:static struct nft_ctx *cli_nft;
src/cli.c:static struct mnl_socket *cli_nf_sock;
src/cli.c:static void *scanner;
src/cli.c:static char histfile[PATH_MAX];
src/cli.c:static char *multiline;
src/cli.c:static bool eof;
src/ct.c:static struct symbol_table *ct_label_tbl;
src/datatype.c:static struct symbol_table *mark_tbl;
src/evaluate.c:static struct output_ctx octx_debug_dummy;
src/evaluate.c:static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr);
src/iface.c:static LIST_HEAD(iface_list);
src/iface.c:static bool iface_cache_init;
src/main.c:static struct nft_ctx nft;
src/mergesort.c:static int expr_msort_cmp(const struct expr *e1, const struct expr *e2);
src/meta.c:static struct symbol_table *realm_tbl;
src/meta.c:static struct symbol_table *devgroup_tbl;
src/mini-gmp.c:static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc;
src/mini-gmp.c:static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc;
src/mini-gmp.c:static void (*gmp_free_func) (void *, size_t) = gmp_default_free;
src/mnl.c:static uint16_t nft_genid;
src/mnl.c:static int nlbuffsiz;
src/netlink_delinearize.c:static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp);
src/rt.c:static struct symbol_table *realm_tbl;
src/rule.c:static uint32_t set_id;
src/scanner.l:static void scanner_pop_buffer(yyscan_t scanner);
src/segtree.c:static struct output_ctx debug_octx = {};

Library would also exit in case of OOM, probably we can change that so
the client deals with this errors. But this could be done later on, OK.

Anything else? :-)

Re: [PATH nft v2 01/18] mnl: fix error handling in mnl_batch_talk

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 758 bytes --]

On Mon, Aug 21, 2017 at 09:01:55PM +0200, Eric Leblond wrote:
> Hi,
> 
> On Mon, 2017-08-21 at 10:10 +0200, Pablo Neira Ayuso wrote:
> > Hi Eric,
> > 
> > On Sat, Aug 19, 2017 at 05:24:03PM +0200, Eric Leblond wrote:
> > > If one of the command is failing we should return an error.
> > 
> > Is this fixing up a real issue or it is something you need in a
> > follow
> > up patch?
> 
> Not really for current users of the function. But I think but it is an
> issue as the result of the function is success even when it fails.

Yes, this function should consistently return an error.

I'm attaching an amended patch, I think we can remove the explicit:

        ret = -1;

from nft_netlink().

I'll be applying what I'm attaching unless there is any concern.

[-- Attachment #2: 0001-mnl-fix-error-handling-in-mnl_batch_talk.patch --]
[-- Type: text/x-diff, Size: 2075 bytes --]

>From 206fdb25b7b53c164700a8cd7d7e659e058ad881 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 24 Aug 2017 17:07:37 +0200
Subject: [PATCH] mnl: fix error handling in mnl_batch_talk

If one of the command is failing we should return an error.

Pablo says: "This is not a real issue since nft_netlink() returns an
error in case the list of errors is not empty. But we can indeed
simplify things by removing that explicit assignment in nft_netlink() so
mnl_batch_talk() consistently reports when if an error has happened.

Signee-off-by: Eric Leblond <eric@regit.org>
---
 src/main.c | 1 -
 src/mnl.c  | 7 +++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/main.c b/src/main.c
index 3519377b6e2c..c09d9f341b69 100644
--- a/src/main.c
+++ b/src/main.c
@@ -220,7 +220,6 @@ static int nft_netlink(struct nft_ctx *nft,
 				netlink_io_error(&ctx, &cmd->location,
 						 "Could not process rule: %s",
 						 strerror(err->err));
-				ret = -1;
 				errno = err->err;
 				if (err->seqnum == cmd->seqnum) {
 					mnl_err_list_free(err);
diff --git a/src/mnl.c b/src/mnl.c
index a770dc567d9f..69e24071b8f1 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -249,6 +249,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 		.tv_sec		= 0,
 		.tv_usec	= 0
 	};
+	int err = 0;
 
 	ret = mnl_nft_socket_sendmsg(ctx);
 	if (ret == -1)
@@ -271,8 +272,10 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 
 		ret = mnl_cb_run(rcv_buf, ret, 0, portid, &netlink_echo_callback, ctx);
 		/* Continue on error, make sure we get all acknowledgments */
-		if (ret == -1)
+		if (ret == -1) {
 			mnl_err_list_node_add(err_list, errno, nlh->nlmsg_seq);
+			err = -1;
+		}
 
 		ret = select(fd+1, &readfds, NULL, NULL, &tv);
 		if (ret == -1)
@@ -281,7 +284,7 @@ int mnl_batch_talk(struct netlink_ctx *ctx, struct list_head *err_list)
 		FD_ZERO(&readfds);
 		FD_SET(fd, &readfds);
 	}
-	return ret;
+	return err;
 }
 
 int mnl_nft_rule_batch_add(struct nftnl_rule *nlr, struct nftnl_batch *batch,
-- 
2.1.4

Re: [PATH nft v2 04/18] libnftables: add context new and free

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 5351 bytes --]

I took over this patch and revamp it, so we can apply this asap.

Let me know if you have any concern,
Thanks.


On Sat, Aug 19, 2017 at 05:24:06PM +0200, Eric Leblond wrote:
> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/nftables.h          |  1 +
>  include/nftables/nftables.h |  3 +++
>  src/libnftables.c           | 20 ++++++++++++++++++++
>  src/main.c                  | 29 ++++++++++++++---------------
>  4 files changed, 38 insertions(+), 15 deletions(-)
> 
> diff --git a/include/nftables.h b/include/nftables.h
> index a457aba..717af37 100644
> --- a/include/nftables.h
> +++ b/include/nftables.h
> @@ -35,6 +35,7 @@ struct output_ctx {
>  struct nft_ctx {
>  	struct output_ctx	output;
>  	bool			check;
> +	struct mnl_socket	*nf_sock;
>  };
>  
>  struct nft_cache {
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index 4ba16f0..cfa60fe 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -17,4 +17,7 @@
>  void nft_global_init(void);
>  void nft_global_deinit(void);
>  
> +struct nft_ctx *nft_context_new(void);
> +void nft_context_free(struct nft_ctx *nft);
> +
>  #endif
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 215179a..6756c0f 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -51,3 +51,23 @@ void nft_global_deinit(void)
>  	realm_table_meta_exit();
>  	mark_table_exit();
>  }
> +
> +struct nft_ctx *nft_context_new(void)
> +{
> +	struct nft_ctx *ctx = NULL;
> +	ctx = calloc(1, sizeof(struct nft_ctx));
> +	if (ctx == NULL)
> +		return NULL;
> +	ctx->nf_sock = netlink_open_sock();
> +
> +	return ctx;
> +}
> +
> +
> +void nft_context_free(struct nft_ctx *nft)
> +{
> +	if (nft == NULL)
> +		return;
> +	netlink_close_sock(nft->nf_sock);
> +	xfree(nft);
> +}
> diff --git a/src/main.c b/src/main.c
> index dde3104..ee5566c 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -29,7 +29,6 @@
>  #include <iface.h>
>  #include <cli.h>
>  
> -static struct nft_ctx nft;
>  unsigned int max_errors = 10;
>  #ifdef DEBUG
>  unsigned int debug_level;
> @@ -283,13 +282,13 @@ int main(int argc, char * const *argv)
>  	unsigned int len;
>  	bool interactive = false;
>  	int i, val, rc = NFT_EXIT_SUCCESS;
> -	struct mnl_socket *nf_sock;
> +	struct nft_ctx *nft;
>  
>  	memset(&cache, 0, sizeof(cache));
>  	init_list_head(&cache.list);
>  
>  	nft_global_init();
> -	nf_sock = netlink_open_sock();
> +	nft = nft_context_new();
>  	while (1) {
>  		val = getopt_long(argc, argv, OPTSTRING, options, NULL);
>  		if (val == -1)
> @@ -304,7 +303,7 @@ int main(int argc, char * const *argv)
>  			       PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
>  			exit(NFT_EXIT_SUCCESS);
>  		case OPT_CHECK:
> -			nft.check = true;
> +			nft->check = true;
>  			break;
>  		case OPT_FILE:
>  			filename = optarg;
> @@ -322,7 +321,7 @@ int main(int argc, char * const *argv)
>  			include_paths[num_include_paths++] = optarg;
>  			break;
>  		case OPT_NUMERIC:
> -			if (++nft.output.numeric > NUMERIC_ALL) {
> +			if (++nft->output.numeric > NUMERIC_ALL) {
>  				fprintf(stderr, "Too many numeric options "
>  						"used, max. %u\n",
>  					NUMERIC_ALL);
> @@ -330,10 +329,10 @@ int main(int argc, char * const *argv)
>  			}
>  			break;
>  		case OPT_STATELESS:
> -			nft.output.stateless++;
> +			nft->output.stateless++;
>  			break;
>  		case OPT_IP2NAME:
> -			nft.output.ip2name++;
> +			nft->output.ip2name++;
>  			break;
>  #ifdef DEBUG
>  		case OPT_DEBUG:
> @@ -365,10 +364,10 @@ int main(int argc, char * const *argv)
>  			break;
>  #endif
>  		case OPT_HANDLE_OUTPUT:
> -			nft.output.handle++;
> +			nft->output.handle++;
>  			break;
>  		case OPT_ECHO:
> -			nft.output.echo++;
> +			nft->output.echo++;
>  			break;
>  		case OPT_INVALID:
>  			exit(NFT_EXIT_FAILURE);
> @@ -386,20 +385,20 @@ int main(int argc, char * const *argv)
>  				strcat(buf, " ");
>  		}
>  		strcat(buf, "\n");
> -		parser_init(nf_sock, &cache, &state, &msgs);
> +		parser_init(nft->nf_sock, &cache, &state, &msgs);
>  		scanner = scanner_init(&state);
>  		scanner_push_buffer(scanner, &indesc_cmdline, buf);
>  	} else if (filename != NULL) {
> -		rc = cache_update(nf_sock, &cache, CMD_INVALID, &msgs);
> +		rc = cache_update(nft->nf_sock, &cache, CMD_INVALID, &msgs);
>  		if (rc < 0)
>  			return rc;
>  
> -		parser_init(nf_sock, &cache, &state, &msgs);
> +		parser_init(nft->nf_sock, &cache, &state, &msgs);
>  		scanner = scanner_init(&state);
>  		if (scanner_read_file(scanner, filename, &internal_location) < 0)
>  			goto out;
>  	} else if (interactive) {
> -		if (cli_init(&nft, nf_sock, &cache, &state) < 0) {
> +		if (cli_init(nft, nft->nf_sock, &cache, &state) < 0) {
>  			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
>  				argv[0]);
>  			exit(NFT_EXIT_FAILURE);
> @@ -410,7 +409,7 @@ int main(int argc, char * const *argv)
>  		exit(NFT_EXIT_FAILURE);
>  	}
>  
> -	if (nft_run(&nft, nf_sock, &cache, scanner, &state, &msgs) != 0)
> +	if (nft_run(nft, nft->nf_sock, &cache, scanner, &state, &msgs) != 0)
>  		rc = NFT_EXIT_FAILURE;
>  out:
>  	scanner_destroy(scanner);
> @@ -418,7 +417,7 @@ out:
>  	xfree(buf);
>  	cache_release(&cache);
>  	iface_cache_release();
> -	netlink_close_sock(nf_sock);
> +	nft_context_free(nft);
>  	nft_global_deinit();
>  
>  	return rc;
> -- 
> 2.14.1
> 

[-- Attachment #2: 0001-src-add-nft_ctx_new-and-nft_ctx_free.patch --]
[-- Type: text/x-diff, Size: 5239 bytes --]

>From 3dba6c6e2859efe5d0364b0299c510fb16d5faad Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 24 Aug 2017 17:23:03 +0200
Subject: [PATCH] src: add nft_ctx_new() and nft_ctx_free()

These new functions allows us to allocate and release the context
structure. This is going to be useful for libnftables.

Joint work with Pablo Neira.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/main.c | 64 ++++++++++++++++++++++++++++++++++++++------------------------
 1 file changed, 39 insertions(+), 25 deletions(-)

diff --git a/src/main.c b/src/main.c
index c09d9f341b69..1b986ae4ed12 100644
--- a/src/main.c
+++ b/src/main.c
@@ -28,7 +28,7 @@
 #include <iface.h>
 #include <cli.h>
 
-static struct nft_ctx nft;
+static struct nft_ctx *nft;
 
 enum opt_vals {
 	OPT_HELP		= 'h',
@@ -281,11 +281,23 @@ void nft_exit(void)
 	mark_table_exit();
 }
 
-static void nft_ctx_init(struct nft_ctx *nft)
+static struct nft_ctx *nft_ctx_new(void)
 {
-	nft->include_paths[0]	= DEFAULT_INCLUDE_PATH;
-	nft->num_include_paths	= 1;
-	nft->parser_max_errors = 10;
+	struct nft_ctx *ctx;
+
+	ctx = xzalloc(sizeof(struct nft_ctx));
+
+	ctx->include_paths[0]	= DEFAULT_INCLUDE_PATH;
+	ctx->num_include_paths	= 1;
+	ctx->parser_max_errors	= 10;
+	init_list_head(&ctx->cache.list);
+
+	return ctx;
+}
+
+static void nft_ctx_free(const struct nft_ctx *ctx)
+{
+	xfree(ctx);
 }
 
 int main(int argc, char * const *argv)
@@ -299,10 +311,9 @@ int main(int argc, char * const *argv)
 	int i, val, rc = NFT_EXIT_SUCCESS;
 	struct mnl_socket *nf_sock;
 
-	init_list_head(&nft.cache.list);
-
 	nft_init();
-	nft_ctx_init(&nft);
+
+	nft = nft_ctx_new();
 
 	nf_sock = netlink_open_sock();
 	while (1) {
@@ -319,7 +330,7 @@ int main(int argc, char * const *argv)
 			       PACKAGE_NAME, PACKAGE_VERSION, RELEASE_NAME);
 			exit(NFT_EXIT_SUCCESS);
 		case OPT_CHECK:
-			nft.check = true;
+			nft->check = true;
 			break;
 		case OPT_FILE:
 			filename = optarg;
@@ -328,16 +339,16 @@ int main(int argc, char * const *argv)
 			interactive = true;
 			break;
 		case OPT_INCLUDEPATH:
-			if (nft.num_include_paths >= INCLUDE_PATHS_MAX) {
+			if (nft->num_include_paths >= INCLUDE_PATHS_MAX) {
 				fprintf(stderr, "Too many include paths "
 						"specified, max. %u\n",
 					INCLUDE_PATHS_MAX - 1);
 				exit(NFT_EXIT_FAILURE);
 			}
-			nft.include_paths[nft.num_include_paths++] = optarg;
+			nft->include_paths[nft->num_include_paths++] = optarg;
 			break;
 		case OPT_NUMERIC:
-			if (++nft.output.numeric > NUMERIC_ALL) {
+			if (++nft->output.numeric > NUMERIC_ALL) {
 				fprintf(stderr, "Too many numeric options "
 						"used, max. %u\n",
 					NUMERIC_ALL);
@@ -345,10 +356,10 @@ int main(int argc, char * const *argv)
 			}
 			break;
 		case OPT_STATELESS:
-			nft.output.stateless++;
+			nft->output.stateless++;
 			break;
 		case OPT_IP2NAME:
-			nft.output.ip2name++;
+			nft->output.ip2name++;
 			break;
 		case OPT_DEBUG:
 			for (;;) {
@@ -362,7 +373,7 @@ int main(int argc, char * const *argv)
 				for (i = 0; i < array_size(debug_param); i++) {
 					if (strcmp(debug_param[i].name, optarg))
 						continue;
-					nft.debug_mask |= debug_param[i].level;
+					nft->debug_mask |= debug_param[i].level;
 					break;
 				}
 
@@ -378,10 +389,10 @@ int main(int argc, char * const *argv)
 			}
 			break;
 		case OPT_HANDLE_OUTPUT:
-			nft.output.handle++;
+			nft->output.handle++;
 			break;
 		case OPT_ECHO:
-			nft.output.echo++;
+			nft->output.echo++;
 			break;
 		case OPT_INVALID:
 			exit(NFT_EXIT_FAILURE);
@@ -399,21 +410,23 @@ int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		parser_init(nf_sock, &nft.cache, &state, &msgs, nft.debug_mask);
+		parser_init(nf_sock, &nft->cache, &state, &msgs,
+			    nft->debug_mask);
 		scanner = scanner_init(&state);
 		scanner_push_buffer(scanner, &indesc_cmdline, buf);
 	} else if (filename != NULL) {
-		rc = cache_update(nf_sock, &nft.cache, CMD_INVALID, &msgs,
-				  nft.debug_mask);
+		rc = cache_update(nf_sock, &nft->cache, CMD_INVALID, &msgs,
+				  nft->debug_mask);
 		if (rc < 0)
 			return rc;
 
-		parser_init(nf_sock, &nft.cache, &state, &msgs, nft.debug_mask);
+		parser_init(nf_sock, &nft->cache, &state, &msgs,
+			    nft->debug_mask);
 		scanner = scanner_init(&state);
 		if (scanner_read_file(scanner, filename, &internal_location) < 0)
 			goto out;
 	} else if (interactive) {
-		if (cli_init(&nft, nf_sock, &state) < 0) {
+		if (cli_init(nft, nf_sock, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
 				argv[0]);
 			exit(NFT_EXIT_FAILURE);
@@ -424,15 +437,16 @@ int main(int argc, char * const *argv)
 		exit(NFT_EXIT_FAILURE);
 	}
 
-	if (nft_run(&nft, nf_sock, scanner, &state, &msgs) != 0)
+	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
 		rc = NFT_EXIT_FAILURE;
 out:
 	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs, nft.debug_mask);
+	erec_print_list(stderr, &msgs, nft->debug_mask);
 	xfree(buf);
-	cache_release(&nft.cache);
+	cache_release(&nft->cache);
 	iface_cache_release();
 	netlink_close_sock(nf_sock);
+	nft_ctx_free(nft);
 	nft_exit();
 
 	return rc;
-- 
2.1.4

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 261 bytes --]

Attaching a revamped version, it is collapsing your patch 5 and 6.

We still have to agree on what to do with the netlink socket. I know
you don't want to open it from the client side.

The only way I find to do this is to - yick - add a flag to
nft_ctx_new().

[-- Attachment #2: 0001-src-add-nft_run_cmd_-functions.patch --]
[-- Type: text/x-diff, Size: 3469 bytes --]

>From d9583a782e96d4c2310c00b4cb6a511b2bd99471 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 24 Aug 2017 17:46:01 +0200
Subject: [PATCH] src: add nft_run_cmd_*() functions

Add new function to read nftables command from a file and buffer, that
we can expose as library.

Joint work with Pablo Neira.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/main.c | 74 +++++++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 54 insertions(+), 20 deletions(-)

diff --git a/src/main.c b/src/main.c
index 1b986ae4ed12..0cad4d2412e8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -300,6 +300,58 @@ static void nft_ctx_free(const struct nft_ctx *ctx)
 	xfree(ctx);
 }
 
+static int nft_run_cmd_from_buffer(struct nft_ctx *nft,
+				   struct mnl_socket *nf_sock,
+				   char *buf, size_t buflen)
+{
+	int rc = NFT_EXIT_SUCCESS;
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+
+	parser_init(nf_sock, &nft->cache, &state, &msgs, nft->debug_mask);
+	scanner = scanner_init(&state);
+	scanner_push_buffer(scanner, &indesc_cmdline, buf);
+
+	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs, nft->debug_mask);
+	cache_release(&nft->cache);
+
+	return rc;
+}
+
+static int nft_run_cmd_from_filename(struct nft_ctx *nft,
+				     struct mnl_socket *nf_sock,
+				     const char *filename)
+{
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+	int rc;
+
+	rc = cache_update(nf_sock, &nft->cache, CMD_INVALID, &msgs,
+			  nft->debug_mask);
+	if (rc < 0)
+		return NFT_EXIT_FAILURE;
+
+	parser_init(nf_sock, &nft->cache, &state, &msgs, nft->debug_mask);
+	scanner = scanner_init(&state);
+	if (scanner_read_file(scanner, filename, &internal_location) < 0)
+		goto err;
+
+	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+err:
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs, nft->debug_mask);
+	cache_release(&nft->cache);
+
+	return rc;
+}
+
 int main(int argc, char * const *argv)
 {
 	struct parser_state state;
@@ -410,21 +462,9 @@ int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		parser_init(nf_sock, &nft->cache, &state, &msgs,
-			    nft->debug_mask);
-		scanner = scanner_init(&state);
-		scanner_push_buffer(scanner, &indesc_cmdline, buf);
+		rc = nft_run_cmd_from_buffer(nft, nf_sock, buf, len + 2);
 	} else if (filename != NULL) {
-		rc = cache_update(nf_sock, &nft->cache, CMD_INVALID, &msgs,
-				  nft->debug_mask);
-		if (rc < 0)
-			return rc;
-
-		parser_init(nf_sock, &nft->cache, &state, &msgs,
-			    nft->debug_mask);
-		scanner = scanner_init(&state);
-		if (scanner_read_file(scanner, filename, &internal_location) < 0)
-			goto out;
+		rc = nft_run_cmd_from_filename(nft, nf_sock, filename);
 	} else if (interactive) {
 		if (cli_init(nft, nf_sock, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
@@ -437,13 +477,7 @@ int main(int argc, char * const *argv)
 		exit(NFT_EXIT_FAILURE);
 	}
 
-	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
-		rc = NFT_EXIT_FAILURE;
-out:
-	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs, nft->debug_mask);
 	xfree(buf);
-	cache_release(&nft->cache);
 	iface_cache_release();
 	netlink_close_sock(nf_sock);
 	nft_ctx_free(nft);
-- 
2.1.4

Re: [PATH nft v2 11/18] libnftables: move iface_cache_release to deinit

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 42 bytes --]

Attaching a revamped version of this too.

[-- Attachment #2: 0001-src-release-caches-from-nft_ctx_free-path.patch --]
[-- Type: text/x-diff, Size: 1438 bytes --]

>From 46aa88ed029b28ec15f26adddb3707148906a535 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 24 Aug 2017 17:52:26 +0200
Subject: [PATCH] src: release caches from nft_ctx_free() path

Release existing caches from nft_ctx_free(). Still, the iface cache
should be good to place it in the nft_ctx structure.

Joint work with Pablo Neira.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/main.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/main.c b/src/main.c
index 0cad4d2412e8..08296a6b57dc 100644
--- a/src/main.c
+++ b/src/main.c
@@ -297,6 +297,8 @@ static struct nft_ctx *nft_ctx_new(void)
 
 static void nft_ctx_free(const struct nft_ctx *ctx)
 {
+	iface_cache_release();
+	cache_release(&nft->cache);
 	xfree(ctx);
 }
 
@@ -318,7 +320,6 @@ static int nft_run_cmd_from_buffer(struct nft_ctx *nft,
 
 	scanner_destroy(scanner);
 	erec_print_list(stderr, &msgs, nft->debug_mask);
-	cache_release(&nft->cache);
 
 	return rc;
 }
@@ -347,7 +348,6 @@ static int nft_run_cmd_from_filename(struct nft_ctx *nft,
 err:
 	scanner_destroy(scanner);
 	erec_print_list(stderr, &msgs, nft->debug_mask);
-	cache_release(&nft->cache);
 
 	return rc;
 }
@@ -478,7 +478,6 @@ int main(int argc, char * const *argv)
 	}
 
 	xfree(buf);
-	iface_cache_release();
 	netlink_close_sock(nf_sock);
 	nft_ctx_free(nft);
 	nft_exit();
-- 
2.1.4

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1284 bytes --]

On Mon, Aug 21, 2017 at 09:12:49PM +0200, Eric Leblond wrote:
[...]
> On Mon, 2017-08-21 at 10:37 +0200, Pablo Neira Ayuso wrote:
[...]
> > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > index 61ed4e5..15345ae 100644
> > > --- a/src/libnftables.c
> > > +++ b/src/libnftables.c
> > > @@ -25,7 +25,7 @@
> > >  #include <fcntl.h>
> > >  
> > >  
> > > -unsigned int max_errors = 10;
> > > +unsigned int max_errors = 1;
> > 
> > This is defeating all the work I've done - both in netlink and in
> > userspace - in the past to allow printing several errors in one go.
> > So
> > you likely understand I'm reticent to take this as is :-)
> 
> For sure, I was just trying to get you excited so you decide to cook a
> patch fixing this :P

Not sure it's excitement exactly what I'm feeling here... but I'm
trying to help, believe it or not... ;-)

I'm placing the nft_global_init() and nft_global_deinit() into
nft_ctx_new() and nft_ctx_free() as we've been discussing.

I'm going to stop here for a while. There are still a few pending
issues, and I would like we don't release anything until we discuss
all concerns.

You mentioned about some set issues, please us know. I also want to
think what you would need for the simple API in the exportation and
monitor cases.

Thanks.

[-- Attachment #2: 0001-src-call-nft_init-and-nft_exit-from-context-routines.patch --]
[-- Type: text/x-diff, Size: 1632 bytes --]

>From fc55891c99890a1ac65436d78b7b12cd5f63d57d Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 24 Aug 2017 17:56:38 +0200
Subject: [PATCH] src: call nft_init() and nft_exit() from context routines

So we don't forget all these caches should be placed into struct
nft_ctx.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/main.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/main.c b/src/main.c
index 08296a6b57dc..fd16f0145f6c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -259,7 +259,7 @@ err1:
 	return ret;
 }
 
-void nft_init(void)
+static void nft_init(void)
 {
 	mark_table_init();
 	realm_table_rt_init();
@@ -272,7 +272,7 @@ void nft_init(void)
 #endif
 }
 
-void nft_exit(void)
+static void nft_exit(void)
 {
 	ct_label_table_exit();
 	realm_table_rt_exit();
@@ -285,6 +285,7 @@ static struct nft_ctx *nft_ctx_new(void)
 {
 	struct nft_ctx *ctx;
 
+	nft_init();
 	ctx = xzalloc(sizeof(struct nft_ctx));
 
 	ctx->include_paths[0]	= DEFAULT_INCLUDE_PATH;
@@ -300,6 +301,7 @@ static void nft_ctx_free(const struct nft_ctx *ctx)
 	iface_cache_release();
 	cache_release(&nft->cache);
 	xfree(ctx);
+	nft_exit();
 }
 
 static int nft_run_cmd_from_buffer(struct nft_ctx *nft,
@@ -363,8 +365,6 @@ int main(int argc, char * const *argv)
 	int i, val, rc = NFT_EXIT_SUCCESS;
 	struct mnl_socket *nf_sock;
 
-	nft_init();
-
 	nft = nft_ctx_new();
 
 	nf_sock = netlink_open_sock();
@@ -480,7 +480,6 @@ int main(int argc, char * const *argv)
 	xfree(buf);
 	netlink_close_sock(nf_sock);
 	nft_ctx_free(nft);
-	nft_exit();
 
 	return rc;
 }
-- 
2.1.4

Re: [PATH nft v2 13/18] libnftables: add nft_context_set_print

[Pablo Neira Ayuso]

On Sat, Aug 19, 2017 at 05:24:15PM +0200, Eric Leblond wrote:
> This function allows user to set his own printing function. It is
> still dependant of the format used by nft but at least it can be
> redirected easily.

I'm looking at this patch...

> Signed-off-by: Eric Leblond <eric@regit.org>
> ---
>  include/nftables/nftables.h | 3 +++
>  src/libnftables.c           | 9 +++++++++
>  2 files changed, 12 insertions(+)
> 
> diff --git a/include/nftables/nftables.h b/include/nftables/nftables.h
> index b902cbd..935d0db 100644
> --- a/include/nftables/nftables.h
> +++ b/include/nftables/nftables.h
> @@ -26,6 +26,9 @@ void nft_global_deinit(void);
>  
>  struct nft_ctx *nft_context_new(void);
>  void nft_context_free(struct nft_ctx *nft);
> +void nft_context_set_print_func(struct nft_ctx *nft,
> +				int (*print)(void *ctx, const char *fmt, ...),
> +				void *ctx);
>  
>  int nft_run_command_from_buffer(struct nft_ctx *nft,
>  				char *buf, size_t buflen);
> diff --git a/src/libnftables.c b/src/libnftables.c
> index 7209885..f0decae 100644
> --- a/src/libnftables.c
> +++ b/src/libnftables.c
> @@ -86,6 +86,15 @@ struct nft_ctx *nft_context_new(void)
>  	return ctx;
>  }
>  
> +void nft_context_set_print_func(struct nft_ctx *nft,
> +				int (*print)(void *ctx, const char *fmt, ...),
> +				void *ctx)

Can we have a strict type here instead of void *ctx? I mean, if ctx is
always going to be a file descriptor, I would prefer this is a
specific type.

Or are you envisioning any real use of this generic type? If we cannot
forecast anything reasonable, then a strict type is the way to go IMO.

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Eric Leblond]

Hi,

On Tue, 2017-08-22 at 14:37 +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 21, 2017 at 09:21:06PM +0200, Eric Leblond wrote:
> > On Mon, 2017-08-21 at 11:44 +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Aug 21, 2017 at 11:06:19AM +0200, Eric Leblond wrote:
> 
> [...]
> > > In a nutshell: we provide a simple API for people that don't want
> > > to
> > > deal with IO at all, that's good. Then, an API that allows people
> > > to
> > > deal with IO themselves - advanced stuff. Simple API functions
> > > would
> > > be made of composites of the advance ones.
> > 
> > OK, I'm good with this approach and it will please the "I'm afraid
> > of
> > netlink" club ;)
> 
> OK, so we agree on the API policy then.
> 
> [...]
> > I think we can all have as a guideline for libnftables that all
> > advanced things are going to the advanced functions. The simple
> > functions must provide something appealing in term of features but
> > have
> > to remain really simple.
> 
> Fine with it.
> 
> > This make me think I still don't know how to deal with sets. I'm
> > not
> > planning to work on it but I think it is a feature that should be
> > available in the simple functions. But we are dealing with possibly
> > complex object so this can be really messy.
> 
> What's your concern with sets?

None fundamental really. It is just I don't see how we can build an
easy API with set that can looks like "ipv4_addr . ipv4addr .
inet_service". The use needs to be able to build the set object (could
be a string) AND to parse it. This last part is the most complex I
think. Maybe the JSON formatting could help here.

++
-- 
Eric Leblond <eric@regit.org>

Re: [PATH nft v2 04/18] libnftables: add context new and free

[Eric Leblond]

Hello,

On Thu, 2017-08-24 at 17:30 +0200, Pablo Neira Ayuso wrote:
> I took over this patch and revamp it, so we can apply this asap.
> 
> Let me know if you have any concern,

I would just add a uint32_t flag to the nft_ctc_new function parameters
so we can later pass information such as "don't handle netlink" or
"handle netlink". But setting the info could also be done in another
function so I let you decide.

++


> Thanks.
> 
> 
> On Sat, Aug 19, 2017 at 05:24:06PM +0200, Eric Leblond wrote:
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  include/nftables.h          |  1 +
> >  include/nftables/nftables.h |  3 +++
> >  src/libnftables.c           | 20 ++++++++++++++++++++
> >  src/main.c                  | 29 ++++++++++++++---------------
> >  4 files changed, 38 insertions(+), 15 deletions(-)
> > 
> > diff --git a/include/nftables.h b/include/nftables.h
> > index a457aba..717af37 100644
> > --- a/include/nftables.h
> > +++ b/include/nftables.h
> > @@ -35,6 +35,7 @@ struct output_ctx {
> >  struct nft_ctx {
> >  	struct output_ctx	output;
> >  	bool			check;
> > +	struct mnl_socket	*nf_sock;
> >  };
> >  
> >  struct nft_cache {
> > diff --git a/include/nftables/nftables.h
> > b/include/nftables/nftables.h
> > index 4ba16f0..cfa60fe 100644
> > --- a/include/nftables/nftables.h
> > +++ b/include/nftables/nftables.h
> > @@ -17,4 +17,7 @@
> >  void nft_global_init(void);
> >  void nft_global_deinit(void);
> >  
> > +struct nft_ctx *nft_context_new(void);
> > +void nft_context_free(struct nft_ctx *nft);
> > +
> >  #endif
> > diff --git a/src/libnftables.c b/src/libnftables.c
> > index 215179a..6756c0f 100644
> > --- a/src/libnftables.c
> > +++ b/src/libnftables.c
> > @@ -51,3 +51,23 @@ void nft_global_deinit(void)
> >  	realm_table_meta_exit();
> >  	mark_table_exit();
> >  }
> > +
> > +struct nft_ctx *nft_context_new(void)
> > +{
> > +	struct nft_ctx *ctx = NULL;
> > +	ctx = calloc(1, sizeof(struct nft_ctx));
> > +	if (ctx == NULL)
> > +		return NULL;
> > +	ctx->nf_sock = netlink_open_sock();
> > +
> > +	return ctx;
> > +}
> > +
> > +
> > +void nft_context_free(struct nft_ctx *nft)
> > +{
> > +	if (nft == NULL)
> > +		return;
> > +	netlink_close_sock(nft->nf_sock);
> > +	xfree(nft);
> > +}
> > diff --git a/src/main.c b/src/main.c
> > index dde3104..ee5566c 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @@ -29,7 +29,6 @@
> >  #include <iface.h>
> >  #include <cli.h>
> >  
> > -static struct nft_ctx nft;
> >  unsigned int max_errors = 10;
> >  #ifdef DEBUG
> >  unsigned int debug_level;
> > @@ -283,13 +282,13 @@ int main(int argc, char * const *argv)
> >  	unsigned int len;
> >  	bool interactive = false;
> >  	int i, val, rc = NFT_EXIT_SUCCESS;
> > -	struct mnl_socket *nf_sock;
> > +	struct nft_ctx *nft;
> >  
> >  	memset(&cache, 0, sizeof(cache));
> >  	init_list_head(&cache.list);
> >  
> >  	nft_global_init();
> > -	nf_sock = netlink_open_sock();
> > +	nft = nft_context_new();
> >  	while (1) {
> >  		val = getopt_long(argc, argv, OPTSTRING, options,
> > NULL);
> >  		if (val == -1)
> > @@ -304,7 +303,7 @@ int main(int argc, char * const *argv)
> >  			       PACKAGE_NAME, PACKAGE_VERSION,
> > RELEASE_NAME);
> >  			exit(NFT_EXIT_SUCCESS);
> >  		case OPT_CHECK:
> > -			nft.check = true;
> > +			nft->check = true;
> >  			break;
> >  		case OPT_FILE:
> >  			filename = optarg;
> > @@ -322,7 +321,7 @@ int main(int argc, char * const *argv)
> >  			include_paths[num_include_paths++] =
> > optarg;
> >  			break;
> >  		case OPT_NUMERIC:
> > -			if (++nft.output.numeric > NUMERIC_ALL) {
> > +			if (++nft->output.numeric > NUMERIC_ALL) {
> >  				fprintf(stderr, "Too many numeric
> > options "
> >  						"used, max. %u\n",
> >  					NUMERIC_ALL);
> > @@ -330,10 +329,10 @@ int main(int argc, char * const *argv)
> >  			}
> >  			break;
> >  		case OPT_STATELESS:
> > -			nft.output.stateless++;
> > +			nft->output.stateless++;
> >  			break;
> >  		case OPT_IP2NAME:
> > -			nft.output.ip2name++;
> > +			nft->output.ip2name++;
> >  			break;
> >  #ifdef DEBUG
> >  		case OPT_DEBUG:
> > @@ -365,10 +364,10 @@ int main(int argc, char * const *argv)
> >  			break;
> >  #endif
> >  		case OPT_HANDLE_OUTPUT:
> > -			nft.output.handle++;
> > +			nft->output.handle++;
> >  			break;
> >  		case OPT_ECHO:
> > -			nft.output.echo++;
> > +			nft->output.echo++;
> >  			break;
> >  		case OPT_INVALID:
> >  			exit(NFT_EXIT_FAILURE);
> > @@ -386,20 +385,20 @@ int main(int argc, char * const *argv)
> >  				strcat(buf, " ");
> >  		}
> >  		strcat(buf, "\n");
> > -		parser_init(nf_sock, &cache, &state, &msgs);
> > +		parser_init(nft->nf_sock, &cache, &state, &msgs);
> >  		scanner = scanner_init(&state);
> >  		scanner_push_buffer(scanner, &indesc_cmdline,
> > buf);
> >  	} else if (filename != NULL) {
> > -		rc = cache_update(nf_sock, &cache, CMD_INVALID,
> > &msgs);
> > +		rc = cache_update(nft->nf_sock, &cache,
> > CMD_INVALID, &msgs);
> >  		if (rc < 0)
> >  			return rc;
> >  
> > -		parser_init(nf_sock, &cache, &state, &msgs);
> > +		parser_init(nft->nf_sock, &cache, &state, &msgs);
> >  		scanner = scanner_init(&state);
> >  		if (scanner_read_file(scanner, filename,
> > &internal_location) < 0)
> >  			goto out;
> >  	} else if (interactive) {
> > -		if (cli_init(&nft, nf_sock, &cache, &state) < 0) {
> > +		if (cli_init(nft, nft->nf_sock, &cache, &state) <
> > 0) {
> >  			fprintf(stderr, "%s: interactive CLI not
> > supported in this build\n",
> >  				argv[0]);
> >  			exit(NFT_EXIT_FAILURE);
> > @@ -410,7 +409,7 @@ int main(int argc, char * const *argv)
> >  		exit(NFT_EXIT_FAILURE);
> >  	}
> >  
> > -	if (nft_run(&nft, nf_sock, &cache, scanner, &state, &msgs)
> > != 0)
> > +	if (nft_run(nft, nft->nf_sock, &cache, scanner, &state,
> > &msgs) != 0)
> >  		rc = NFT_EXIT_FAILURE;
> >  out:
> >  	scanner_destroy(scanner);
> > @@ -418,7 +417,7 @@ out:
> >  	xfree(buf);
> >  	cache_release(&cache);
> >  	iface_cache_release();
> > -	netlink_close_sock(nf_sock);
> > +	nft_context_free(nft);
> >  	nft_global_deinit();
> >  
> >  	return rc;
> > -- 
> > 2.14.1
> > 
-- 
Eric Leblond <eric@regit.org>

Re: [PATH nft v2 05/18] libnftables: add nft_run_command_from_buffer

[Eric Leblond]

Hi,

On Thu, 2017-08-24 at 17:49 +0200, Pablo Neira Ayuso wrote:
> Attaching a revamped version, it is collapsing your patch 5 and 6.
> 
> We still have to agree on what to do with the netlink socket. I know
> you don't want to open it from the client side.
> 
> The only way I find to do this is to - yick - add a flag to
> nft_ctx_new().

Agree with the flag idea. This will add a minimum flexibility to the
structure creation.

Regarding the patch, I'm good with it.

Acked-by: Eric Leblond <eric@regit.org>

++
-- 
Eric Leblond <eric@regit.org>

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Eric Leblond]

Hi,

On Thu, 2017-08-24 at 18:02 +0200, Pablo Neira Ayuso wrote:
> On Mon, Aug 21, 2017 at 09:12:49PM +0200, Eric Leblond wrote:
> [...]
> > On Mon, 2017-08-21 at 10:37 +0200, Pablo Neira Ayuso wrote:
> 
> [...]
> > > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > > index 61ed4e5..15345ae 100644
> > > > --- a/src/libnftables.c
> > > > +++ b/src/libnftables.c
> > > > @@ -25,7 +25,7 @@
> > > >  #include <fcntl.h>
> > > >  
> > > >  
> > > > -unsigned int max_errors = 10;
> > > > +unsigned int max_errors = 1;
> > > 
> > > This is defeating all the work I've done - both in netlink and in
> > > userspace - in the past to allow printing several errors in one
> > > go.
> > > So
> > > you likely understand I'm reticent to take this as is :-)
> > 
> > For sure, I was just trying to get you excited so you decide to
> > cook a
> > patch fixing this :P
> 
> Not sure it's excitement exactly what I'm feeling here... but I'm
> trying to help, believe it or not... ;-)

I believe you :)

> I'm placing the nft_global_init() and nft_global_deinit() into
> nft_ctx_new() and nft_ctx_free() as we've been discussing.

OK.

> I'm going to stop here for a while. There are still a few pending
> issues, and I would like we don't release anything until we discuss
> all concerns.
> 
> You mentioned about some set issues, please us know. I also want to
> think what you would need for the simple API in the exportation and
> monitor cases.

Could you push the current patchset somewhere so I can get a look this
week end ?

PS: sorry for the delay in the answers

++
-- 
Eric Leblond <eric@regit.org>

Re: [PATH nft v2 13/18] libnftables: add nft_context_set_print

[Eric Leblond]

Hi,

On Fri, 2017-08-25 at 11:59 +0200, Pablo Neira Ayuso wrote:
> On Sat, Aug 19, 2017 at 05:24:15PM +0200, Eric Leblond wrote:
> > This function allows user to set his own printing function. It is
> > still dependant of the format used by nft but at least it can be
> > redirected easily.
> 
> I'm looking at this patch...
> 
> > Signed-off-by: Eric Leblond <eric@regit.org>
> > ---
> >  include/nftables/nftables.h | 3 +++
> >  src/libnftables.c           | 9 +++++++++
> >  2 files changed, 12 insertions(+)
> > 
> > diff --git a/include/nftables/nftables.h
> > b/include/nftables/nftables.h
> > index b902cbd..935d0db 100644
> > --- a/include/nftables/nftables.h
> > +++ b/include/nftables/nftables.h
> > @@ -26,6 +26,9 @@ void nft_global_deinit(void);
> >  
> >  struct nft_ctx *nft_context_new(void);
> >  void nft_context_free(struct nft_ctx *nft);
> > +void nft_context_set_print_func(struct nft_ctx *nft,
> > +				int (*print)(void *ctx, const char
> > *fmt, ...),
> > +				void *ctx);
> >  
> >  int nft_run_command_from_buffer(struct nft_ctx *nft,
> >  				char *buf, size_t buflen);
> > diff --git a/src/libnftables.c b/src/libnftables.c
> > index 7209885..f0decae 100644
> > --- a/src/libnftables.c
> > +++ b/src/libnftables.c
> > @@ -86,6 +86,15 @@ struct nft_ctx *nft_context_new(void)
> >  	return ctx;
> >  }
> >  
> > +void nft_context_set_print_func(struct nft_ctx *nft,
> > +				int (*print)(void *ctx, const char
> > *fmt, ...),
> > +				void *ctx)
> 
> Can we have a strict type here instead of void *ctx? I mean, if ctx
> is
> always going to be a file descriptor, I would prefer this is a
> specific type.
> 
> Or are you envisioning any real use of this generic type? If we
> cannot
> forecast anything reasonable, then a strict type is the way to go
> IMO.

Yes, it can be any internal structure from the user application. For
instance, it can be a structure storing logging information, that
accumulate the buffer and do a line by line output in a GUI.

Writing that I realize that it would be better at least for high level
function to provide a complete buffer containing the error to the user
instead of that. Maybe it could be the default function and we provide
that function for some corner cases ?

++
-- 
Eric Leblond <eric@regit.org>

Re: [PATH nft v2 15/18] libnftables: set max_errors to 1 in library

[Pablo Neira Ayuso]

On Fri, Aug 25, 2017 at 01:37:18PM +0200, Eric Leblond wrote:
[...]
> > I'm going to stop here for a while. There are still a few pending
> > issues, and I would like we don't release anything until we discuss
> > all concerns.
> > 
> > You mentioned about some set issues, please us know. I also want to
> > think what you would need for the simple API in the exportation and
> > monitor cases.
> 
> Could you push the current patchset somewhere so I can get a look this
> week end ?

I pushed it out to master, so we can follow up from there.

Re: [PATCH nft v2 00/18] introducing libnftables

[Phil Sutter]

Hi,

On Sat, Aug 19, 2017 at 05:24:02PM +0200, Eric Leblond wrote:
> This patchset is the second version of libnftables introduction patchset.
> It addresses some remarks by Phil Sutter. Other remarks as said on the ML
> are in fact TODO points that can be adressed later.

So, what is the current status, please? Could we perhaps collect open
points and clarify who's working on what?

>From the top of my head, open points are:

* Where to keep nf_sock:
  - Either completely separate (needs init/deinit routines for
    convenience).
  - Or as part of nft_ctx (needs getter/setter for advanced usage).

* Do we want global init/deinit functions, or can we put everything into
  context init/deinit functions?

* How to handle object printing:
  - Having a library print to stdout is probably not desired.
  - Is formatting into a string for further processing by the
    application sufficient?

Anything else? Are there tasks which can be done now and nobody wants so
I could take over?

Cheers, Phil

Re: [PATH nft v2 13/18] libnftables: add nft_context_set_print

[Pablo Neira Ayuso]

On Fri, Aug 25, 2017 at 01:49:56PM +0200, Eric Leblond wrote:
> Hi,
> 
> On Fri, 2017-08-25 at 11:59 +0200, Pablo Neira Ayuso wrote:
> > On Sat, Aug 19, 2017 at 05:24:15PM +0200, Eric Leblond wrote:
> > > This function allows user to set his own printing function. It is
> > > still dependant of the format used by nft but at least it can be
> > > redirected easily.
> > 
> > I'm looking at this patch...
> > 
> > > Signed-off-by: Eric Leblond <eric@regit.org>
> > > ---
> > >  include/nftables/nftables.h | 3 +++
> > >  src/libnftables.c           | 9 +++++++++
> > >  2 files changed, 12 insertions(+)
> > > 
> > > diff --git a/include/nftables/nftables.h
> > > b/include/nftables/nftables.h
> > > index b902cbd..935d0db 100644
> > > --- a/include/nftables/nftables.h
> > > +++ b/include/nftables/nftables.h
> > > @@ -26,6 +26,9 @@ void nft_global_deinit(void);
> > >  
> > >  struct nft_ctx *nft_context_new(void);
> > >  void nft_context_free(struct nft_ctx *nft);
> > > +void nft_context_set_print_func(struct nft_ctx *nft,
> > > +				int (*print)(void *ctx, const char
> > > *fmt, ...),
> > > +				void *ctx);
> > >  
> > >  int nft_run_command_from_buffer(struct nft_ctx *nft,
> > >  				char *buf, size_t buflen);
> > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > index 7209885..f0decae 100644
> > > --- a/src/libnftables.c
> > > +++ b/src/libnftables.c
> > > @@ -86,6 +86,15 @@ struct nft_ctx *nft_context_new(void)
> > >  	return ctx;
> > >  }
> > >  
> > > +void nft_context_set_print_func(struct nft_ctx *nft,
> > > +				int (*print)(void *ctx, const char
> > > *fmt, ...),
> > > +				void *ctx)
> > 
> > Can we have a strict type here instead of void *ctx? I mean, if ctx
> > is
> > always going to be a file descriptor, I would prefer this is a
> > specific type.
> > 
> > Or are you envisioning any real use of this generic type? If we
> > cannot
> > forecast anything reasonable, then a strict type is the way to go
> > IMO.
> 
> Yes, it can be any internal structure from the user application. For
> instance, it can be a structure storing logging information, that
> accumulate the buffer and do a line by line output in a GUI.

I don't think we can do snprintf() with this interface, or any other
printing to buffer with this approach.

We would need to update the libnftables codebase to keep track of
offsets and so on.

> Writing that I realize that it would be better at least for high level
> function to provide a complete buffer containing the error to the user
> instead of that. Maybe it could be the default function and we provide
> that function for some corner cases ?

I'd suggest we start with something simple that suit your specific
needs, and at the same make sure we can extend such API to cover the
buffer like and file description printing, which are the two common
cases I can think of.

Re: [PATH nft v2 13/18] libnftables: add nft_context_set_print

[Pablo Neira Ayuso]

On Wed, Aug 30, 2017 at 12:46:17PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 25, 2017 at 01:49:56PM +0200, Eric Leblond wrote:
> > On Fri, 2017-08-25 at 11:59 +0200, Pablo Neira Ayuso wrote:
> > > On Sat, Aug 19, 2017 at 05:24:15PM +0200, Eric Leblond wrote:
> > > > diff --git a/src/libnftables.c b/src/libnftables.c
> > > > index 7209885..f0decae 100644
> > > > --- a/src/libnftables.c
> > > > +++ b/src/libnftables.c
> > > > @@ -86,6 +86,15 @@ struct nft_ctx *nft_context_new(void)
> > > >  	return ctx;
> > > >  }
> > > >  
> > > > +void nft_context_set_print_func(struct nft_ctx *nft,
> > > > +				int (*print)(void *ctx, const char
> > > > *fmt, ...),
> > > > +				void *ctx)
> > > 
> > > Can we have a strict type here instead of void *ctx? I mean, if ctx
> > > is
> > > always going to be a file descriptor, I would prefer this is a
> > > specific type.
> > > 
> > > Or are you envisioning any real use of this generic type? If we
> > > cannot
> > > forecast anything reasonable, then a strict type is the way to go
> > > IMO.
> > 
> > Yes, it can be any internal structure from the user application. For
> > instance, it can be a structure storing logging information, that
> > accumulate the buffer and do a line by line output in a GUI.
> 
> I don't think we can do snprintf() with this interface, or any other
> printing to buffer with this approach.
> 
> We would need to update the libnftables codebase to keep track of
> offsets and so on.

Forget this. We can indeed use this API to implement buffer like
printing.

But I would prefer strict typing for this API, so we provide to
functions, one to print to buffer and another to print to descriptors,
if this is what you need.

Otherwise, just provide a function that does exactly what you need
right now, with strict typing. If someone else needs a new function to
do something else, then let's wait for them to come and ask for it.

OK?

Re: [PATCH nft v2 00/18] introducing libnftables

[Pablo Neira Ayuso]

On Wed, Aug 30, 2017 at 12:31:32PM +0200, Phil Sutter wrote:
> Hi,
> 
> On Sat, Aug 19, 2017 at 05:24:02PM +0200, Eric Leblond wrote:
> > This patchset is the second version of libnftables introduction patchset.
> > It addresses some remarks by Phil Sutter. Other remarks as said on the ML
> > are in fact TODO points that can be adressed later.
> 
> So, what is the current status, please? Could we perhaps collect open
> points and clarify who's working on what?
> 
> From the top of my head, open points are:
> 
> * Where to keep nf_sock:
>   - Either completely separate (needs init/deinit routines for
>     convenience).
>   - Or as part of nft_ctx (needs getter/setter for advanced usage).

Eric needs the simple API for non-netlink users, we can add an
explicit call like this:

        err = nft_ctx_netlink_open(ctx);

Then, we call:

        nft_run_cmd_from_buffer(ctx, ...);

with no nf_sock as parameter.

Please, don't update the code all over the place to pass nft->nf_sock
to lower layers, just update nft_run_cmd_from_buffer() function not to
take nf_sock explicitly.

So we make sure we don't have to undo things to reuse code when adding
the advanced API later on. The advanced API will expose netlink
details indeed, so it will not ever call nft_ctx_netlink_open().

> * Do we want global init/deinit functions, or can we put everything into
>   context init/deinit functions?

No, we agreed this is now done from ctx allocation/release.

> * How to handle object printing:
>   - Having a library print to stdout is probably not desired.
>   - Is formatting into a string for further processing by the
>     application sufficient?

I would prefer strict typing in APIs, so we restrict/know what people
are going to do with them.

Having a second look at what Eric sent, I was wrong, we can use void *ctx.
However, I would prefer we have APIs for each kind of thing that people
would need, ie. one API for file descriptor printing and another for
buffer printing with specific typing, not void * for this.

There is no comments so far on how we can integrate the monitor mode
with this simple API. Even if this is not done now, I would like we
have something in mind.

More side comments:

* Eric also mentioned about json. It should be easy to add this since
  json representation is already there in the parser, we would only
  need to expose the high level nft abstract syntax tree in json
  format.

* Eric already clarified a problem with set concatenations, but I'm
  still not sure / don't understand what the problem is.