diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-06-15 14:35:33 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-06-16 18:59:18 +0200 |
commit | 509671dfa03365bba727b8be5e522b737da93a6f (patch) | |
tree | 1f8ed73f117cf2f37f33ad2b7a088aea312609e9 /src/ct.c | |
parent | 8ba13b7424fbfa18bd1aeebd1c4add67a1f6d2a2 (diff) |
src: error reporting for nested ruleset representation
If you load a file using the nested ruleset representation, ie. the one
you get via `nft list ruleset', error reporting doesn't help you much to
find the problem.
For example, the following ruleset points to an unexisting chain 'x':
table test {
chain test {
type filter hook ingress priority 0; policy drop;
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
}
}
Error reporting is very sparse as it says:
# nft -f /home/test/x
/home/test/x:1:1-2: Error: Could not process rule: No such file or directory
table netdev test{
^^
So it's hard to know what is exactly missing.
This patch enhances the existing logic, so nft points to the rule
causing the problem, ie.
# nft -f /home/test/x
/home/test/x:4:17-70: Error: Could not process rule: No such file or directory
ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The idea behind this patch is to expand the single table command into a
list of individual commands, one per nested object inside the table.
This expanded list is spliced into the existing list of commands. Thus,
each command gets a sequence number that helps us correlate the error
with the command that triggers it.
This patch also includes reference counting for rules and objects. This
was already in place for table, chain and sets. We need this since now
we hold references to them from both the command and the table object
itself. So the last reference releases the object from memory. Note that
table objects still keep the list of chain, sets, etc. since the
existing cache logic needs this to work.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/ct.c')
0 files changed, 0 insertions, 0 deletions