With introduction of literal option, two of the three meaningful numeric
levels lost their purpose. In fact, they turned into no-ops so that '-n'
had to be given tree times on commandline to have an effect.
To overcome this, spread the three effects of NFT_NUMERIC_ALL to allow
some selection there. The ordering of them is chosen accordingly to
assumed likeliness for a user to want something numeric:
1) Chain priorities, so it's easy to see in which order they are
evaluated without having to know the names.
2) User and group IDs, so one doesn't have to consolidate with 'getent'.
3) Protocols, for those more familiar with 6 than 'tcp'.
Note: The above change means '-nn' for instance has not the same effect
as before, but it has changed already anyway.
Update documentation (help text and man page) accordingly to correctly
describe what 'literal' and 'numeric' options do.
Given that option '-N' ('--reversedns') is now obsolete in favour of
'-ll', remove it from help text and synopsis in man page. Also integrate
it a bit better by making it simply raise literal level to
NFT_LITERAL_ADDR if it is lower, no need to complain if it is not.
One more unrelated change in here: Add brief description of '--json'
option to man page so it becomes consistent with help output.
Signed-off-by: Phil Sutter <p...@nwl.cc>
---
doc/nft.txt | 18 +++++++++++-------
include/nftables/libnftables.h | 7 +++++--
src/datatype.c | 2 +-
src/json.c | 6 +++---
src/main.c | 16 ++++++++--------
src/meta.c | 4 ++--
src/rule.c | 2 +-
7 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/doc/nft.txt b/doc/nft.txt
index 9d04e4355f4eb..0e0becfb7a080 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -9,7 +9,7 @@ nft - Administration tool of the nftables framework for packet
filtering and cla
SYNOPSIS
--------
[verse]
-*nft* [ *-nNscae* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
+*nft* [ *-nlscaej* ] [ *-I* 'directory' ] [ *-f* 'filename' | *-i* | 'cmd' ...]
*nft* *-h*
*nft* *-v*
@@ -34,10 +34,10 @@ For a full summary of options, run *nft --help*.
*-n*::
*--numeric*::
- Show data numerically. When used once (the default behaviour), skip
- lookup of addresses to symbolic names. Use twice to also show Internet
- services (port numbers) numerically. Use three times to also show
- protocols, UIDs/GIDs and priorities numerically.
+ Show data numerically. When used once, show chain priorities
+ numerically instead of in form of 'name + offset'. Use twice to also
+ show user and group IDs numerically. Use three times to also show
+ protocols numerically.
*-s*::
*--stateless*::
@@ -45,8 +45,8 @@ For a full summary of options, run *nft --help*.
*-l*::
*--literal*::
- Translate numeric to literal. When used once (the default
- behaviour), print services (instead of numerical port numbers). Use
+ Translate numeric to literal. When used once, print services
+ (instead of numerical port numbers). Use
twice to perform the IP address to name lookup, this usually
requires network traffic for DNS lookup that slows down the
ruleset listing.
@@ -79,6 +79,10 @@ For a full summary of options, run *nft --help*.
Read input from an interactive readline CLI. You can use quit to exit,
or use the EOF marker,
normally this is CTRL-D.
+*-j*::
+*--json*::
+ Format output in JSON.
+
INPUT FILE FORMATS
------------------
LEXICAL CONVENTIONS
diff --git a/include/nftables/libnftables.h b/include/nftables/libnftables.h
index dee099f279c10..d1a4e3a7be686 100644
--- a/include/nftables/libnftables.h
+++ b/include/nftables/libnftables.h
@@ -28,8 +28,11 @@ enum nft_debug_level {
enum nft_numeric_level {
NFT_NUMERIC_NONE,
- NFT_NUMERIC_ADDR,
- NFT_NUMERIC_PORT,
+ NFT_NUMERIC_ADDR = 0, /* backwards compat */
+ NFT_NUMERIC_PORT = 0, /* backwards compat */
+ NFT_NUMERIC_PRIOS,
+ NFT_NUMERIC_GUID,
+ NFT_NUMERIC_INET_PROTO,
NFT_NUMERIC_ALL,
};
diff --git a/src/datatype.c b/src/datatype.c
index 50af3df04f744..54287cd21ba4f 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -564,7 +564,7 @@ static void inet_protocol_type_print(const struct expr
*expr,
{
struct protoent *p;
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_INET_PROTO) {
p = getprotobynumber(mpz_get_uint8(expr->value));
if (p != NULL) {
nft_print(octx, "%s", p->p_name);
diff --git a/src/json.c b/src/json.c
index 1708f22dda408..9994ef0ae6e7f 100644
--- a/src/json.c
+++ b/src/json.c
@@ -853,7 +853,7 @@ json_t *inet_protocol_type_json(const struct expr *expr,
{
struct protoent *p;
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_INET_PROTO) {
p = getprotobynumber(mpz_get_uint8(expr->value));
if (p != NULL)
return json_string(p->p_name);
@@ -913,7 +913,7 @@ json_t *uid_type_json(const struct expr *expr, struct
output_ctx *octx)
{
uint32_t uid = mpz_get_uint32(expr->value);
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_GUID) {
struct passwd *pw = getpwuid(uid);
if (pw)
@@ -926,7 +926,7 @@ json_t *gid_type_json(const struct expr *expr, struct
output_ctx *octx)
{
uint32_t gid = mpz_get_uint32(expr->value);
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_GUID) {
struct group *gr = getgrgid(gid);
if (gr)
diff --git a/src/main.c b/src/main.c
index 792136f527d94..fd549ad4a11a7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -123,11 +123,12 @@ static void show_help(const char *name)
" -i, --interactive Read input from interactive CLI\n"
"\n"
" -j, --json Format output in JSON\n"
-" -n, --numeric When specified once, show network
addresses numerically (default behaviour).\n"
-" Specify twice to also show Internet services
(port numbers) numerically.\n"
-" Specify three times to also show protocols,
user IDs, and group IDs numerically.\n"
+" -l, --literal When specified once, translate known
port numbers into names.\n"
+" Specify twice to also perform reverse DNS
lookups for IP addresses.\n"
+" -n, --numeric When specified once, show chain
priorities numerically.\n"
+" Specify twice to also show user and group IDs
numerically.\n"
+" Specify three times to also show protocols
numerically.\n"
" -s, --stateless Omit stateful information of ruleset.\n"
-" -N Translate IP addresses to names.\n"
" -a, --handle Output rule handle.\n"
" -e, --echo Echo what has been added, inserted or
replaced.\n"
" -I, --includepath <directory> Add <directory> to the paths searched
for include files. Default is: %s\n"
@@ -231,11 +232,10 @@ int main(int argc, char * const *argv)
break;
case OPT_IP2NAME:
literal = nft_ctx_output_get_literal(nft);
- if (literal + 2 > NFT_LITERAL_ADDR) {
- fprintf(stderr, "Cannot combine `-N' with
`-l'\n");
- exit(EXIT_FAILURE);
+ if (literal < NFT_LITERAL_ADDR) {
+ literal = NFT_LITERAL_ADDR;
+ nft_ctx_output_set_literal(nft, literal);
}
- nft_ctx_output_set_literal(nft, literal + 2);
break;
case OPT_LITERAL:
literal = nft_ctx_output_get_literal(nft);
diff --git a/src/meta.c b/src/meta.c
index 1bd91db275d67..da78fdf80a6a9 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -207,7 +207,7 @@ static void uid_type_print(const struct expr *expr, struct
output_ctx *octx)
{
struct passwd *pw;
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_GUID) {
uint32_t uid = mpz_get_uint32(expr->value);
pw = getpwuid(uid);
@@ -260,7 +260,7 @@ static void gid_type_print(const struct expr *expr, struct
output_ctx *octx)
{
struct group *gr;
- if (octx->numeric < NFT_NUMERIC_ALL) {
+ if (octx->numeric < NFT_NUMERIC_GUID) {
uint32_t gid = mpz_get_uint32(expr->value);
gr = getgrgid(gid);
diff --git a/src/rule.c b/src/rule.c
index e6d61b670688f..e39508efb8fed 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -969,7 +969,7 @@ static const char *prio2str(char *buf, size_t bufsize, int
family, int hook,
arr_size = array_size(std_prios);
}
- if (numeric != NFT_NUMERIC_ALL) {
+ if (numeric < NFT_NUMERIC_PRIOS) {
for (i = 0; i < arr_size; ++i) {
std_prio = prio_arr[i].val;
std_prio_str = prio_arr[i].str;
--
2.18.0
