diff options
author | Phil Sutter <phil@nwl.cc> | 2020-07-10 20:08:35 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2020-07-24 19:15:49 +0200 |
commit | 0b7c22e00622db468846f11809ca0cecc6c7cd97 (patch) | |
tree | ed361a57baa34093872d4bf90c588b4187a11fdd /iptables/nft.c | |
parent | 26ec09bf6b9b674a7e3a65fc9c12599bd81dfe0f (diff) |
nft: Make table creation purely implicit
While asserting a required builtin chain exists, its table is created
implicitly if missing. Exploit this from xtables-restore, too: The only
actions which need adjustment are chain_new and chain_restore, i.e. when
restoring (either builtin or custom) chains.
Note: The call to nft_table_builtin_add() wasn't sufficient as it
doesn't set the table as initialized and therefore a following call to
nft_xt_builtin_init() would override non-default base chain policies.
Note2: The 'table_new' callback in 'nft_xt_restore_cb' is left in place
as xtables-translate uses it to print an explicit 'add table' command.
Note3: nft_table_new() function was already unused since a7f1e208cdf9c
("nft: split parsing from netlink commands").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 17 |
1 files changed, 3 insertions, 14 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 0c5a74fc..c5ab0dbe 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -350,7 +350,6 @@ static int mnl_append_error(const struct nft_handle *h, case NFT_COMPAT_RULE_SAVE: case NFT_COMPAT_RULE_ZERO: case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE: - case NFT_COMPAT_TABLE_NEW: assert(0); break; } @@ -892,7 +891,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, } /* if this built-in table does not exists, create it */ - nft_table_builtin_add(h, _t); + nft_xt_builtin_init(h, table); _c = nft_chain_builtin_find(_t, chain); if (_c != NULL) { @@ -1789,6 +1788,8 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table bool created = false; int ret; + nft_xt_builtin_init(h, table); + c = nft_chain_find(h, table, chain); if (c) { /* Apparently -n still flushes existing user defined @@ -2099,11 +2100,6 @@ err_out: return ret == 0 ? 1 : 0; } -void nft_table_new(struct nft_handle *h, const char *table) -{ - nft_xt_builtin_init(h, table); -} - static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r) { struct obj_update *obj; @@ -2735,7 +2731,6 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o) case NFT_COMPAT_RULE_SAVE: case NFT_COMPAT_RULE_ZERO: case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE: - case NFT_COMPAT_TABLE_NEW: assert(0); break; } @@ -2811,7 +2806,6 @@ static void nft_refresh_transaction(struct nft_handle *h) case NFT_COMPAT_RULE_SAVE: case NFT_COMPAT_RULE_ZERO: case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE: - case NFT_COMPAT_TABLE_NEW: break; } } @@ -2915,7 +2909,6 @@ retry: case NFT_COMPAT_RULE_SAVE: case NFT_COMPAT_RULE_ZERO: case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE: - case NFT_COMPAT_TABLE_NEW: assert(0); } @@ -3178,10 +3171,6 @@ static int nft_prepare(struct nft_handle *h) ret = ebt_set_user_chain_policy(h, cmd->table, cmd->chain, cmd->policy); break; - case NFT_COMPAT_TABLE_NEW: - nft_xt_builtin_init(h, cmd->table); - ret = 1; - break; case NFT_COMPAT_SET_ADD: nft_xt_builtin_init(h, cmd->table); batch_set_add(h, NFT_COMPAT_SET_ADD, cmd->obj.set); |