From d5c869add2501aa722682c825b7b9ee247d22ec8 Mon Sep 17 00:00:00 2001
From: Jan Palus <atler@pld-linux.org>
Date: Mon, 28 Dec 2020 10:59:42 +0100
Subject: nft: move processing logic out of asserts

[Phil: Introduce assert_nft_restart() to keep things clean, also add
       fallback returns to nft_action() and nft_prepare(), sanitizing
       things at least a bit.]

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1487
Signed-off-by: Jan Palus <atler@pld-linux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'iptables/nft.c')

diff --git a/iptables/nft.c b/iptables/nft.c
index b702c65a..326dc20b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -109,7 +109,9 @@ static struct nftnl_batch *mnl_batch_init(void)
 
 static void mnl_nft_batch_continue(struct nftnl_batch *batch)
 {
-	assert(nftnl_batch_update(batch) >= 0);
+	int ret = nftnl_batch_update(batch);
+
+	assert(ret >= 0);
 }
 
 static uint32_t mnl_batch_begin(struct nftnl_batch *batch, uint32_t genid, uint32_t seqnum)
@@ -3227,6 +3229,7 @@ retry:
 		case NFT_COMPAT_RULE_ZERO:
 		case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
 			assert(0);
+			return 0;
 		}
 
 		mnl_nft_batch_continue(h->batch);
@@ -3504,7 +3507,7 @@ static int nft_prepare(struct nft_handle *h)
 		case NFT_COMPAT_TABLE_ADD:
 		case NFT_COMPAT_CHAIN_ADD:
 			assert(0);
-			break;
+			return 0;
 		}
 
 		nft_cmd_free(cmd);
-- 
cgit v1.2.3