diff options
author | Patrick McHardy <kaber@trash.net> | 2014-01-09 18:54:02 +0000 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2014-01-09 18:54:02 +0000 |
commit | f930cc50031851c6975058e33408214ad0c240b6 (patch) | |
tree | fb9cb26875448789bf602aeec1886c0c7493edf1 /src | |
parent | a54d7b05fb241dae62039d2c200e9a18941cf250 (diff) |
nftables: fix supression of "permission denied" errors
Introduction of batch support broke displaying of EPERM since those are
generated by the kernel before batch processing starts and thus have the
sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
command messages. Also only a single error message is generated for the
entire batch.
This patch fixes this by noting the batch sequence number and displaying
the error for all commands since this is what would happen if the
permission check was inside batch processing as every other check.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'src')
-rw-r--r-- | src/main.c | 12 | ||||
-rw-r--r-- | src/mnl.c | 8 |
2 files changed, 13 insertions, 7 deletions
@@ -156,9 +156,10 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs) struct cmd *cmd, *next; struct mnl_err *err, *tmp; LIST_HEAD(err_list); + uint32_t batch_seqnum; int ret = 0; - mnl_batch_begin(); + batch_seqnum = mnl_batch_begin(); list_for_each_entry(cmd, &state->cmds, list) { memset(&ctx, 0, sizeof(ctx)); ctx.msgs = msgs; @@ -179,12 +180,15 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs) list_for_each_entry_safe(err, tmp, &err_list, head) { list_for_each_entry(cmd, &state->cmds, list) { - if (err->seqnum == cmd->seqnum) { + if (err->seqnum == cmd->seqnum || + err->seqnum == batch_seqnum) { netlink_io_error(&ctx, &cmd->location, "Could not process rule in batch: %s", strerror(err->err)); - mnl_err_list_free(err); - break; + if (err->seqnum == cmd->seqnum) { + mnl_err_list_free(err); + break; + } } } } @@ -106,7 +106,7 @@ static void mnl_batch_page_add(void) batch = mnl_batch_alloc(); } -static void mnl_batch_put(int type) +static uint32_t mnl_batch_put(int type) { struct nlmsghdr *nlh; struct nfgenmsg *nfg; @@ -123,11 +123,13 @@ static void mnl_batch_put(int type) if (!mnl_nlmsg_batch_next(batch)) mnl_batch_page_add(); + + return nlh->nlmsg_seq; } -void mnl_batch_begin(void) +uint32_t mnl_batch_begin(void) { - mnl_batch_put(NFNL_MSG_BATCH_BEGIN); + return mnl_batch_put(NFNL_MSG_BATCH_BEGIN); } void mnl_batch_end(void) |