diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-06-26 11:33:22 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-08-18 01:13:35 +0200 |
commit | 05834a0fa84ee461b798308d57ffa1888c05d728 (patch) | |
tree | 886c5f47d85be05773e141678bbb5cbab8260d6a /src/evaluate.c | |
parent | 51d659450c1aecdd881c521ab290439d44125156 (diff) |
src: use cache infrastructure for set objects
This patch populates the cache only once through netlink_list_sets() during
evaluation. As a result, there is a single call to netlink_list_sets().
After this change, we can rid of get_set(). This function was fine by the time
we had no transaction support, but this doesn't work for set objects that are
declared in this batch, so inquiring the kernel doesn't help since they are not
yet available.
As a result from this update, the monitor code gets simplified quite a lot
since it can rely of the set cache. Moreover, we can now validate that the
table and set exists from evaluation path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/evaluate.c')
-rw-r--r-- | src/evaluate.c | 53 |
1 files changed, 18 insertions, 35 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index 8b54dbc0..d5817f9b 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -109,37 +109,6 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx, return set_ref_expr_alloc(&expr->location, set); } -// FIXME -#include <netlink.h> -static struct set *get_set(struct eval_ctx *ctx, const struct handle *h, - const char *identifier) -{ - struct netlink_ctx nctx = { - .msgs = ctx->msgs, - }; - struct handle handle; - struct set *set; - int err; - - if (ctx->table != NULL) { - set = set_lookup(ctx->table, identifier); - if (set != NULL) - return set; - } - - init_list_head(&nctx.list); - - memset(&handle, 0, sizeof(handle)); - handle_merge(&handle, h); - handle.set = xstrdup(identifier); - err = netlink_get_set(&nctx, &handle, &internal_location); - handle_free(&handle); - - if (err < 0) - return NULL; - return list_first_entry(&nctx.list, struct set, list); -} - static enum ops byteorder_conversion_op(struct expr *expr, enum byteorder byteorder) { @@ -192,6 +161,7 @@ static int expr_evaluate_symbol(struct eval_ctx *ctx, struct expr **expr) { struct error_record *erec; struct symbol *sym; + struct table *table; struct set *set; struct expr *new; @@ -213,9 +183,15 @@ static int expr_evaluate_symbol(struct eval_ctx *ctx, struct expr **expr) new = expr_clone(sym->expr); break; case SYMBOL_SET: - set = get_set(ctx, &ctx->cmd->handle, (*expr)->identifier); + table = table_lookup(&ctx->cmd->handle); + if (table == NULL) + return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", + ctx->cmd->handle.table); + + set = set_lookup(table, (*expr)->identifier); if (set == NULL) - return -1; + return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", + (*expr)->identifier); new = set_ref_expr_alloc(&(*expr)->location, set); break; } @@ -1737,11 +1713,18 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) static int setelem_evaluate(struct eval_ctx *ctx, struct expr **expr) { + struct table *table; struct set *set; - set = get_set(ctx, &ctx->cmd->handle, ctx->cmd->handle.set); + table = table_lookup(&ctx->cmd->handle); + if (table == NULL) + return cmd_error(ctx, "Could not process rule: Table '%s' does not exist", + ctx->cmd->handle.table); + + set = set_lookup(table, ctx->cmd->handle.set); if (set == NULL) - return -1; + return cmd_error(ctx, "Could not process rule: Set '%s' does not exist", + ctx->cmd->handle.set); ctx->set = set; expr_set_context(&ctx->ectx, set->keytype, set->keylen); |