* [PATCH nft 0/1] Proposal: include directories for rulesets
@ 2016-03-02 12:11 Ismo Puustinen
2016-03-02 12:11 ` [PATCH nft 1/1] scanner: add support for include directories Ismo Puustinen
2016-03-04 9:57 ` [PATCH nft 0/1] Proposal: include directories for rulesets Arturo Borrero Gonzalez
0 siblings, 2 replies; 4+ messages in thread
From: Ismo Puustinen @ 2016-03-02 12:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ismo Puustinen
A nice-to-have feature in nft would be the ability to use include
directories that contain rule files. The use case would be support for
services dropping their custom configuration files into a directory,
allowing a more modular firewall configuration.
This is a proof-of-concept patch -- I'm not very familiar with nftables
code base and conventions.
Ismo Puustinen (1):
scanner: add support for include directories
src/main.c | 4 ++--
src/scanner.l | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------
2 files changed, 61 insertions(+), 16 deletions(-)
--
2.5.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH nft 1/1] scanner: add support for include directories
2016-03-02 12:11 [PATCH nft 0/1] Proposal: include directories for rulesets Ismo Puustinen
@ 2016-03-02 12:11 ` Ismo Puustinen
2016-03-04 9:57 ` [PATCH nft 0/1] Proposal: include directories for rulesets Arturo Borrero Gonzalez
1 sibling, 0 replies; 4+ messages in thread
From: Ismo Puustinen @ 2016-03-02 12:11 UTC (permalink / raw)
To: netfilter-devel; +Cc: Ismo Puustinen
If a string after "include" keyword points to a directory instead of a
file, consider the directory to contain only nft rule files and try to
load them all. This helps with a use case where services drop their own
firewall configuration files into a directory and nft needs to include
those without knowing the exact file names.
Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
---
src/main.c | 4 ++--
src/scanner.l | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------
2 files changed, 61 insertions(+), 16 deletions(-)
diff --git a/src/main.c b/src/main.c
index 7bbcfc4..395bde2 100644
--- a/src/main.c
+++ b/src/main.c
@@ -36,8 +36,8 @@ unsigned int handle_output;
unsigned int debug_level;
#endif
-const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
-static unsigned int num_include_paths = 1;
+const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH, "." };
+static unsigned int num_include_paths = 2;
enum opt_vals {
OPT_HELP = 'h',
diff --git a/src/scanner.l b/src/scanner.l
index a0dee47..58ecd71 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -10,6 +10,8 @@
%{
+#include <dirent.h>
+#include <libgen.h>
#include <limits.h>
#include <netinet/in.h>
#include <arpa/inet.h>
@@ -620,26 +622,69 @@ int scanner_include_file(void *scanner, const char *filename,
f = NULL;
for (i = 0; i < INCLUDE_PATHS_MAX; i++) {
+ DIR *directory = NULL;
+
if (include_paths[i] == NULL)
break;
snprintf(buf, sizeof(buf), "%s/%s", include_paths[i], filename);
- f = fopen(buf, "r");
- if (f != NULL)
+
+ directory = opendir(buf);
+
+ if (directory == NULL && errno != ENOTDIR) {
+ /* Could not access the directory or file. */
+ continue;
+ }
+ else if (directory != NULL) {
+ struct dirent *de;
+
+ /* If the path is a directory, assume that all files there need
+ * to be included. */
+ while ((de = readdir(directory))) {
+ char dirbuf[PATH_MAX];
+
+ snprintf(dirbuf, sizeof(dirbuf), "%s/%s", buf, de->d_name);
+
+ if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0)
+ continue;
+
+ f = fopen(dirbuf, "r");
+
+ if (f == NULL) {
+ erec = error(loc, "Could not open file \"%s\": %s\n",
+ filename, strerror(errno));
+ closedir(directory);
+ goto err;
+ }
+ name = de->d_name;
+
+ erec = scanner_push_file(scanner, name, f, loc);
+ if (erec != NULL) {
+ closedir(directory);
+ goto err;
+ }
+ }
+
+ closedir(directory);
break;
- }
- if (f == NULL) {
- f = fopen(filename, "r");
- if (f == NULL) {
- erec = error(loc, "Could not open file \"%s\": %s\n",
- filename, strerror(errno));
- goto err;
}
- name = filename;
- }
+ else {
+ /* A simple include file. */
+ f = fopen(buf, "r");
+ if (f == NULL) {
+ erec = error(loc, "Could not open file \"%s\": %s\n",
+ filename, strerror(errno));
+ goto err;
+ }
- erec = scanner_push_file(scanner, name, f, loc);
- if (erec != NULL)
- goto err;
+ if (strcmp(".", dirname(buf)) == 0)
+ name = filename;
+
+ erec = scanner_push_file(scanner, name, f, loc);
+ if (erec != NULL)
+ goto err;
+ break;
+ }
+ }
return 0;
err:
--
2.5.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nft 0/1] Proposal: include directories for rulesets
2016-03-02 12:11 [PATCH nft 0/1] Proposal: include directories for rulesets Ismo Puustinen
2016-03-02 12:11 ` [PATCH nft 1/1] scanner: add support for include directories Ismo Puustinen
@ 2016-03-04 9:57 ` Arturo Borrero Gonzalez
2016-03-04 13:29 ` Puustinen, Ismo
1 sibling, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2016-03-04 9:57 UTC (permalink / raw)
To: Ismo Puustinen; +Cc: Netfilter Development Mailing list
On 2 March 2016 at 13:11, Ismo Puustinen <ismo.puustinen@intel.com> wrote:
> A nice-to-have feature in nft would be the ability to use include
> directories that contain rule files. The use case would be support for
> services dropping their custom configuration files into a directory,
> allowing a more modular firewall configuration.
>
> This is a proof-of-concept patch -- I'm not very familiar with nftables
> code base and conventions.
>
Hi Ismo,
I like the idea. What I'm wondering is if it worth having another
directive like 'includedir' to be more explicit.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nft 0/1] Proposal: include directories for rulesets
2016-03-04 9:57 ` [PATCH nft 0/1] Proposal: include directories for rulesets Arturo Borrero Gonzalez
@ 2016-03-04 13:29 ` Puustinen, Ismo
0 siblings, 0 replies; 4+ messages in thread
From: Puustinen, Ismo @ 2016-03-04 13:29 UTC (permalink / raw)
To: arturo.borrero.glez; +Cc: netfilter-devel
On Fri, 2016-03-04 at 10:57 +0100, Arturo Borrero Gonzalez wrote:
> Hi Ismo,
>
> I like the idea. What I'm wondering is if it worth having another
> directive like 'includedir' to be more explicit.
Sure, I'm fine with that approach too. If the project leadership
indicates that the include directory approach makes sense, I could do a
patch using the 'includedir' syntax too.
Ismo
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-03-04 13:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-02 12:11 [PATCH nft 0/1] Proposal: include directories for rulesets Ismo Puustinen
2016-03-02 12:11 ` [PATCH nft 1/1] scanner: add support for include directories Ismo Puustinen
2016-03-04 9:57 ` [PATCH nft 0/1] Proposal: include directories for rulesets Arturo Borrero Gonzalez
2016-03-04 13:29 ` Puustinen, Ismo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.