From 1e8ef6a5847549af6fa2edc4fd642cf259ef2ba1 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 20 Aug 2019 21:41:12 +0200 Subject: nft: family_ops: Pass nft_handle to 'rule_to_cs' callback This is the actual callback used to parse nftables rules. Pass nft_handle to it so it can access the cache (and possible sets therein). Having to pass nft_handle to nft_rule_print_save() allows to simplify it a bit since no family ops lookup has to be done anymore. Signed-off-by: Phil Sutter Acked-by: Pablo Neira Ayuso --- iptables/nft-arp.c | 4 ++-- iptables/nft-bridge.c | 9 +++++---- iptables/nft-ipv4.c | 2 +- iptables/nft-ipv6.c | 2 +- iptables/nft-shared.c | 5 +++-- iptables/nft-shared.h | 5 +++-- iptables/nft.c | 18 ++++++++---------- iptables/nft.h | 4 ++-- iptables/xtables-monitor.c | 17 +++++++++++++++-- iptables/xtables-save.c | 3 +++ 10 files changed, 43 insertions(+), 26 deletions(-) diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index da22c12d..d4a86610 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -590,7 +590,7 @@ nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (format & FMT_LINENUMBERS) printf("%u ", num); - nft_rule_to_iptables_command_state(r, &cs); + nft_rule_to_iptables_command_state(h, r, &cs); nft_arp_print_rule_details(&cs, format); print_matches_and_target(&cs, format); @@ -641,7 +641,7 @@ static bool nft_arp_rule_find(struct nft_handle *h, struct nftnl_rule *r, bool ret = false; /* Delete by matching rule case */ - nft_rule_to_iptables_command_state(r, &this); + nft_rule_to_iptables_command_state(h, r, &this); if (!nft_arp_is_same(&cs->arp, &this.arp)) goto out; diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index b0c6c5a4..20ce92a6 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -333,11 +333,12 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data) cs->target = t; } -static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r, +static void nft_rule_to_ebtables_command_state(struct nft_handle *h, + const struct nftnl_rule *r, struct iptables_command_state *cs) { cs->eb.bitmask = EBT_NOPROTO; - nft_rule_to_iptables_command_state(r, cs); + nft_rule_to_iptables_command_state(h, r, cs); } static void print_iface(const char *option, const char *name, bool invert) @@ -480,7 +481,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r, if (format & FMT_LINENUMBERS) printf("%d ", num); - nft_rule_to_ebtables_command_state(r, &cs); + nft_rule_to_ebtables_command_state(h, r, &cs); nft_bridge_save_rule(&cs, format); ebt_cs_clean(&cs); } @@ -544,7 +545,7 @@ static bool nft_bridge_rule_find(struct nft_handle *h, struct nftnl_rule *r, struct iptables_command_state this = {}; bool ret = false; - nft_rule_to_ebtables_command_state(r, &this); + nft_rule_to_ebtables_command_state(h, r, &this); DEBUGP("comparing with... "); diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 98d7f966..70634f8f 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -266,7 +266,7 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r, { struct iptables_command_state cs = {}; - nft_rule_to_iptables_command_state(r, &cs); + nft_rule_to_iptables_command_state(h, r, &cs); print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags, cs.fw.ip.invflags, cs.fw.ip.proto, num, format); diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 56236bff..d01491bf 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -192,7 +192,7 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r, { struct iptables_command_state cs = {}; - nft_rule_to_iptables_command_state(r, &cs); + nft_rule_to_iptables_command_state(h, r, &cs); print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags, cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index b6d85f1a..bdbd3238 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -591,7 +591,8 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e) ops->parse_match(match, ctx->cs); } -void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, +void nft_rule_to_iptables_command_state(struct nft_handle *h, + const struct nftnl_rule *r, struct iptables_command_state *cs) { struct nftnl_expr_iter *iter; @@ -987,7 +988,7 @@ bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data) struct iptables_command_state *cs = data, this = {}; bool ret = false; - nft_rule_to_iptables_command_state(r, &this); + nft_rule_to_iptables_command_state(h, r, &this); DEBUGP("comparing with... "); #ifdef DEBUG_DEL diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 4523dda9..a85d5442 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -101,7 +101,7 @@ struct nft_family_ops { struct xtables_args *args); void (*parse_match)(struct xtables_match *m, void *data); void (*parse_target)(struct xtables_target *t, void *data); - void (*rule_to_cs)(const struct nftnl_rule *r, + void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void (*clear_cs)(struct iptables_command_state *cs); bool (*rule_find)(struct nft_handle *h, struct nftnl_rule *r, @@ -138,7 +138,8 @@ int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface, unsigned char *outiface_mask, uint8_t *invflags); void print_proto(uint16_t proto, int invert); void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv); -void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, +void nft_rule_to_iptables_command_state(struct nft_handle *h, + const struct nftnl_rule *r, struct iptables_command_state *cs); void nft_clear_iptables_command_state(struct iptables_command_state *cs); void print_header(unsigned int format, const char *chain, const char *pol, diff --git a/iptables/nft.c b/iptables/nft.c index 049c3cfa..36c3bc2d 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -351,7 +351,7 @@ static int mnl_append_error(const struct nft_handle *h, nftnl_rule_get_str(o->rule, NFTNL_RULE_CHAIN)); #if 0 { - nft_rule_print_save(o->rule, NFT_RULE_APPEND, FMT_NOCOUNTS); + nft_rule_print_save(h, o->rule, NFT_RULE_APPEND, FMT_NOCOUNTS); } #endif break; @@ -1220,16 +1220,14 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table, } void -nft_rule_print_save(const struct nftnl_rule *r, enum nft_rule_print type, - unsigned int format) +nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, + enum nft_rule_print type, unsigned int format) { const char *chain = nftnl_rule_get_str(r, NFTNL_RULE_CHAIN); - int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY); struct iptables_command_state cs = {}; - struct nft_family_ops *ops; + struct nft_family_ops *ops = h->ops; - ops = nft_family_ops_lookup(family); - ops->rule_to_cs(r, &cs); + ops->rule_to_cs(h, r, &cs); if (!(format & (FMT_NOCOUNTS | FMT_C_COUNTS)) && ops->save_counters) ops->save_counters(&cs); @@ -1392,7 +1390,7 @@ static int nft_chain_save_rules(struct nft_handle *h, r = nftnl_rule_iter_next(iter); while (r != NULL) { - nft_rule_print_save(r, NFT_RULE_APPEND, format); + nft_rule_print_save(h, r, NFT_RULE_APPEND, format); r = nftnl_rule_iter_next(iter); } @@ -2245,7 +2243,7 @@ static void list_save(struct nft_handle *h, struct nftnl_rule *r, unsigned int num, unsigned int format) { - nft_rule_print_save(r, NFT_RULE_APPEND, format); + nft_rule_print_save(h, r, NFT_RULE_APPEND, format); } static int __nftnl_rule_list_chain_save(struct nftnl_chain *c, void *data) @@ -2357,7 +2355,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, goto error; } - nft_rule_to_iptables_command_state(r, &cs); + nft_rule_to_iptables_command_state(h, r, &cs); cs.counters.pcnt = cs.counters.bcnt = 0; diff --git a/iptables/nft.h b/iptables/nft.h index 94dc72d8..e157b525 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -146,8 +146,8 @@ enum nft_rule_print { NFT_RULE_DEL, }; -void nft_rule_print_save(const struct nftnl_rule *r, enum nft_rule_print type, - unsigned int format); +void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r, + enum nft_rule_print type, unsigned int format); uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag); diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c index eb80bac8..a5245d14 100644 --- a/iptables/xtables-monitor.c +++ b/iptables/xtables-monitor.c @@ -11,6 +11,7 @@ #define _GNU_SOURCE #include "config.h" +#include #include #include #include @@ -41,6 +42,7 @@ struct cb_arg { uint32_t nfproto; bool is_event; + struct nft_handle *h; }; static int table_cb(const struct nlmsghdr *nlh, void *data) @@ -106,7 +108,7 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data) } printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE)); - nft_rule_print_save(r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND : + nft_rule_print_save(arg->h, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND : NFT_RULE_DEL, counters ? 0 : FMT_NOCOUNTS); err_free: @@ -593,7 +595,10 @@ int xtables_monitor_main(int argc, char *argv[]) struct mnl_socket *nl; char buf[MNL_SOCKET_BUFFER_SIZE]; uint32_t nfgroup = 0; - struct cb_arg cb_arg = {}; + struct nft_handle h = {}; + struct cb_arg cb_arg = { + .h = &h, + }; int ret, c; xtables_globals.program_name = "xtables-monitor"; @@ -610,6 +615,14 @@ int xtables_monitor_main(int argc, char *argv[]) init_extensions4(); #endif + if (nft_init(&h, xtables_ipv4)) { + fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", + xtables_globals.program_name, + xtables_globals.program_version, + strerror(errno)); + exit(EXIT_FAILURE); + } + opterr = 0; while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) { switch (c) { diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index 44687f99..3a52f8c3 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -249,6 +249,9 @@ xtables_save_main(int family, int argc, char *argv[], strerror(errno)); exit(EXIT_FAILURE); } + h.ops = nft_family_ops_lookup(h.family); + if (!h.ops) + xtables_error(PARAMETER_PROBLEM, "Unknown family"); ret = do_output(&h, tablename, &d); nft_fini(&h); -- cgit v1.2.3