[PATCH nft 0/1] Proposal: include directories for rulesets

[PATCH nft 0/1] Proposal: include directories for rulesets

[Ismo Puustinen]

A nice-to-have feature in nft would be the ability to use include
directories that contain rule files. The use case would be support for
services dropping their custom configuration files into a directory,
allowing a more modular firewall configuration.

This is a proof-of-concept patch -- I'm not very familiar with nftables
code base and conventions.

Ismo Puustinen (1):
  scanner: add support for include directories

 src/main.c    |  4 ++--
 src/scanner.l | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 61 insertions(+), 16 deletions(-)

-- 
2.5.0

[PATCH nft 1/1] scanner: add support for include directories

[Ismo Puustinen]

If a string after "include" keyword points to a directory instead of a
file, consider the directory to contain only nft rule files and try to
load them all. This helps with a use case where services drop their own
firewall configuration files into a directory and nft needs to include
those without knowing the exact file names.

Signed-off-by: Ismo Puustinen <ismo.puustinen@intel.com>
---
 src/main.c    |  4 ++--
 src/scanner.l | 73 +++++++++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 61 insertions(+), 16 deletions(-)

diff --git a/src/main.c b/src/main.c
index 7bbcfc4..395bde2 100644
--- a/src/main.c
+++ b/src/main.c
@@ -36,8 +36,8 @@ unsigned int handle_output;
 unsigned int debug_level;
 #endif
 
-const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH };
-static unsigned int num_include_paths = 1;
+const char *include_paths[INCLUDE_PATHS_MAX] = { DEFAULT_INCLUDE_PATH, "." };
+static unsigned int num_include_paths = 2;
 
 enum opt_vals {
 	OPT_HELP		= 'h',
diff --git a/src/scanner.l b/src/scanner.l
index a0dee47..58ecd71 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -10,6 +10,8 @@
 
 %{
 
+#include <dirent.h>
+#include <libgen.h>
 #include <limits.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -620,26 +622,69 @@ int scanner_include_file(void *scanner, const char *filename,
 
 	f = NULL;
 	for (i = 0; i < INCLUDE_PATHS_MAX; i++) {
+		DIR *directory = NULL;
+
 		if (include_paths[i] == NULL)
 			break;
 		snprintf(buf, sizeof(buf), "%s/%s", include_paths[i], filename);
-		f = fopen(buf, "r");
-		if (f != NULL)
+
+		directory = opendir(buf);
+
+		if (directory == NULL && errno != ENOTDIR) {
+			/* Could not access the directory or file. */
+			continue;
+		}
+		else if (directory != NULL) {
+			struct dirent *de;
+
+			/* If the path is a directory, assume that all files there need
+			 * to be included. */
+			while ((de = readdir(directory))) {
+				char dirbuf[PATH_MAX];
+
+				snprintf(dirbuf, sizeof(dirbuf), "%s/%s", buf, de->d_name);
+
+				if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0)
+					continue;
+
+				f = fopen(dirbuf, "r");
+
+				if (f == NULL) {
+					erec = error(loc, "Could not open file \"%s\": %s\n",
+							filename, strerror(errno));
+					closedir(directory);
+					goto err;
+				}
+				name = de->d_name;
+
+				erec = scanner_push_file(scanner, name, f, loc);
+				if (erec != NULL) {
+					closedir(directory);
+					goto err;
+				}
+			}
+
+			closedir(directory);
 			break;
-	}
-	if (f == NULL) {
-		f = fopen(filename, "r");
-		if (f == NULL) {
-			erec = error(loc, "Could not open file \"%s\": %s\n",
-				     filename, strerror(errno));
-			goto err;
 		}
-		name = filename;
-	}
+		else {
+			/* A simple include file. */
+			f = fopen(buf, "r");
+			if (f == NULL) {
+				erec = error(loc, "Could not open file \"%s\": %s\n",
+						filename, strerror(errno));
+				goto err;
+			}
 
-	erec = scanner_push_file(scanner, name, f, loc);
-	if (erec != NULL)
-		goto err;
+			if (strcmp(".", dirname(buf)) == 0)
+				name = filename;
+
+			erec = scanner_push_file(scanner, name, f, loc);
+			if (erec != NULL)
+				goto err;
+			break;
+		}
+	}
 	return 0;
 
 err:
-- 
2.5.0

Re: [PATCH nft 0/1] Proposal: include directories for rulesets

[Arturo Borrero Gonzalez]

On 2 March 2016 at 13:11, Ismo Puustinen <ismo.puustinen@intel.com> wrote:
> A nice-to-have feature in nft would be the ability to use include
> directories that contain rule files. The use case would be support for
> services dropping their custom configuration files into a directory,
> allowing a more modular firewall configuration.
>
> This is a proof-of-concept patch -- I'm not very familiar with nftables
> code base and conventions.
>

Hi Ismo,

I like the idea. What I'm wondering is if it worth having another
directive like 'includedir' to be more explicit.

-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft 0/1] Proposal: include directories for rulesets

[Puustinen, Ismo]

On Fri, 2016-03-04 at 10:57 +0100, Arturo Borrero Gonzalez wrote:
> Hi Ismo,
> 
> I like the idea. What I'm wondering is if it worth having another
> directive like 'includedir' to be more explicit.

Sure, I'm fine with that approach too. If the project leadership
indicates that the include directory approach makes sense, I could do a
patch using the 'includedir' syntax too.

Ismo