diff options
| author | Jan Palus <atler@pld-linux.org> | 2020-12-28 10:59:42 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-08-05 01:30:05 +0200 |
| commit | d5c869add2501aa722682c825b7b9ee247d22ec8 (patch) | |
| tree | 38d75e614b8e8d86a02e9896c5e872fa449e20f6 | |
| parent | 952186aa0342f6bf3c4614a609525338d057d8d9 (diff) | |
nft: move processing logic out of asserts
[Phil: Introduce assert_nft_restart() to keep things clean, also add
fallback returns to nft_action() and nft_prepare(), sanitizing
things at least a bit.]
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1487
Signed-off-by: Jan Palus <atler@pld-linux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | iptables/nft-cache.c | 16 | ||||
| -rw-r--r-- | iptables/nft.c | 7 |
2 files changed, 17 insertions, 6 deletions
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c index fabb5779..91d29670 100644 --- a/iptables/nft-cache.c +++ b/iptables/nft-cache.c @@ -26,6 +26,14 @@ #include "nft-cache.h" #include "nft-chain.h" +/* users may define NDEBUG */ +static void assert_nft_restart(struct nft_handle *h) +{ + int rc = nft_restart(h); + + assert(rc >= 0); +} + static void cache_chain_list_insert(struct list_head *list, const char *name) { struct cache_chain *pos = NULL, *new; @@ -147,7 +155,7 @@ static int fetch_table_cache(struct nft_handle *h) ret = mnl_talk(h, nlh, nftnl_table_list_cb, h); if (ret < 0 && errno == EINTR) - assert(nft_restart(h) >= 0); + assert_nft_restart(h); for (i = 0; i < NFT_TABLE_MAX; i++) { enum nft_table_type type = h->tables[i].type; @@ -472,7 +480,7 @@ static int fetch_set_cache(struct nft_handle *h, ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d); if (ret < 0 && errno == EINTR) { - assert(nft_restart(h) >= 0); + assert_nft_restart(h); return ret; } @@ -512,7 +520,7 @@ static int __fetch_chain_cache(struct nft_handle *h, ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d); if (ret < 0 && errno == EINTR) - assert(nft_restart(h) >= 0); + assert_nft_restart(h); return ret; } @@ -606,7 +614,7 @@ static int nft_rule_list_update(struct nft_chain *nc, void *data) ret = mnl_talk(h, nlh, nftnl_rule_list_cb, &rld); if (ret < 0 && errno == EINTR) - assert(nft_restart(h) >= 0); + assert_nft_restart(h); nftnl_rule_free(rule); diff --git a/iptables/nft.c b/iptables/nft.c index b702c65a..326dc20b 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -109,7 +109,9 @@ static struct nftnl_batch *mnl_batch_init(void) static void mnl_nft_batch_continue(struct nftnl_batch *batch) { - assert(nftnl_batch_update(batch) >= 0); + int ret = nftnl_batch_update(batch); + + assert(ret >= 0); } static uint32_t mnl_batch_begin(struct nftnl_batch *batch, uint32_t genid, uint32_t seqnum) @@ -3227,6 +3229,7 @@ retry: case NFT_COMPAT_RULE_ZERO: case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE: assert(0); + return 0; } mnl_nft_batch_continue(h->batch); @@ -3504,7 +3507,7 @@ static int nft_prepare(struct nft_handle *h) case NFT_COMPAT_TABLE_ADD: case NFT_COMPAT_CHAIN_ADD: assert(0); - break; + return 0; } nft_cmd_free(cmd); |