From e7b6180fcf9061852a06f6d98e7618f44fd0eeec Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 7 May 2020 18:53:47 +0200 Subject: nft: Merge nft_*_rule_find() functions Both ebtables and arptables are fine with using nft_ipv46_rule_find() instead of their own implementations. Take the chance and move the former into nft.c as a static helper since it is used in a single place, only. Then get rid of the callback from family_ops. Signed-off-by: Phil Sutter --- iptables/nft-arp.c | 28 ---------------------------- iptables/nft-bridge.c | 38 -------------------------------------- iptables/nft-ipv4.c | 1 - iptables/nft-ipv6.c | 1 - iptables/nft-shared.c | 39 --------------------------------------- iptables/nft-shared.h | 4 ---- iptables/nft.c | 41 ++++++++++++++++++++++++++++++++++++++++- 7 files changed, 40 insertions(+), 112 deletions(-) (limited to 'iptables') diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 9a831efd..23ab73cb 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -635,33 +635,6 @@ static bool nft_arp_is_same(const void *data_a, (unsigned char *)b->arp.outiface_mask); } -static bool nft_arp_rule_find(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule) -{ - struct iptables_command_state _cs = {}, *cs = &_cs; - struct iptables_command_state this = {}; - bool ret = false; - - /* Delete by matching rule case */ - nft_rule_to_iptables_command_state(h, r, &this); - nft_rule_to_iptables_command_state(h, rule, cs); - - if (!nft_arp_is_same(&cs->arp, &this.arp)) - goto out; - - if (!compare_targets(cs->target, this.target)) - goto out; - - if (this.jumpto && strcmp(cs->jumpto, this.jumpto) != 0) - goto out; - - ret = true; -out: - h->ops->clear_cs(&this); - h->ops->clear_cs(cs); - return ret; -} - static void nft_arp_save_chain(const struct nftnl_chain *c, const char *policy) { const char *chain = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME); @@ -684,6 +657,5 @@ struct nft_family_ops nft_family_ops_arp = { .post_parse = NULL, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = nft_clear_iptables_command_state, - .rule_find = nft_arp_rule_find, .parse_target = nft_ipv46_parse_target, }; diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 39a2f704..18f5e78f 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -756,43 +756,6 @@ static bool nft_bridge_is_same(const void *data_a, const void *data_b) return strcmp(a->in, b->in) == 0 && strcmp(a->out, b->out) == 0; } -static bool nft_bridge_rule_find(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule) -{ - struct iptables_command_state _cs = {}, *cs = &_cs; - struct iptables_command_state this = {}; - bool ret = false; - - nft_rule_to_ebtables_command_state(h, r, &this); - nft_rule_to_ebtables_command_state(h, rule, cs); - - DEBUGP("comparing with... "); - - if (!nft_bridge_is_same(cs, &this)) - goto out; - - if (!compare_matches(cs->matches, this.matches)) { - DEBUGP("Different matches\n"); - goto out; - } - - if (!compare_targets(cs->target, this.target)) { - DEBUGP("Different target\n"); - goto out; - } - - if (cs->jumpto != NULL && strcmp(cs->jumpto, this.jumpto) != 0) { - DEBUGP("Different verdict\n"); - goto out; - } - - ret = true; -out: - h->ops->clear_cs(&this); - h->ops->clear_cs(cs); - return ret; -} - static int xlate_ebmatches(const struct iptables_command_state *cs, struct xt_xlate *xl) { int ret = 1, numeric = cs->options & OPT_NUMERIC; @@ -974,6 +937,5 @@ struct nft_family_ops nft_family_ops_bridge = { .post_parse = NULL, .rule_to_cs = nft_rule_to_ebtables_command_state, .clear_cs = ebt_cs_clean, - .rule_find = nft_bridge_rule_find, .xlate = nft_bridge_xlate, }; diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 69691fe2..ba789da0 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -457,6 +457,5 @@ struct nft_family_ops nft_family_ops_ipv4 = { .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = nft_clear_iptables_command_state, - .rule_find = nft_ipv46_rule_find, .xlate = nft_ipv4_xlate, }; diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 76f2613d..84bcf1c5 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -409,6 +409,5 @@ struct nft_family_ops nft_family_ops_ipv6 = { .parse_target = nft_ipv46_parse_target, .rule_to_cs = nft_rule_to_iptables_command_state, .clear_cs = nft_clear_iptables_command_state, - .rule_find = nft_ipv46_rule_find, .xlate = nft_ipv6_xlate, }; diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index bfc7bc22..53cd4cae 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -989,45 +989,6 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data) cs->target = t; } -bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule) -{ - struct iptables_command_state _cs = {}, this = {}, *cs = &_cs; - bool ret = false; - - nft_rule_to_iptables_command_state(h, r, &this); - nft_rule_to_iptables_command_state(h, rule, cs); - - DEBUGP("comparing with... "); -#ifdef DEBUG_DEL - nft_rule_print_save(h, r, NFT_RULE_APPEND, 0); -#endif - if (!h->ops->is_same(cs, &this)) - goto out; - - if (!compare_matches(cs->matches, this.matches)) { - DEBUGP("Different matches\n"); - goto out; - } - - if (!compare_targets(cs->target, this.target)) { - DEBUGP("Different target\n"); - goto out; - } - - if ((!cs->target || !this.target) && - strcmp(cs->jumpto, this.jumpto) != 0) { - DEBUGP("Different verdict\n"); - goto out; - } - - ret = true; -out: - h->ops->clear_cs(&this); - h->ops->clear_cs(cs); - return ret; -} - void nft_check_xt_legacy(int family, bool is_ipt_save) { static const char tables6[] = "/proc/net/ip6_tables_names"; diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 89e9d0b9..cb60e685 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -109,8 +109,6 @@ struct nft_family_ops { void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r, struct iptables_command_state *cs); void (*clear_cs)(struct iptables_command_state *cs); - bool (*rule_find)(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule); int (*xlate)(const void *data, struct xt_xlate *xl); }; @@ -171,8 +169,6 @@ void save_matches_and_target(const struct iptables_command_state *cs, struct nft_family_ops *nft_family_ops_lookup(int family); void nft_ipv46_parse_target(struct xtables_target *t, void *data); -bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, - struct nftnl_rule *rule); bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2); bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2); diff --git a/iptables/nft.c b/iptables/nft.c index 3c0daa8d..e65eb91c 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2120,6 +2120,45 @@ static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r) return 1; } +static bool nft_rule_cmp(struct nft_handle *h, struct nftnl_rule *r, + struct nftnl_rule *rule) +{ + struct iptables_command_state _cs = {}, this = {}, *cs = &_cs; + bool ret = false; + + h->ops->rule_to_cs(h, r, &this); + h->ops->rule_to_cs(h, rule, cs); + + DEBUGP("comparing with... "); +#ifdef DEBUG_DEL + nft_rule_print_save(h, r, NFT_RULE_APPEND, 0); +#endif + if (!h->ops->is_same(cs, &this)) + goto out; + + if (!compare_matches(cs->matches, this.matches)) { + DEBUGP("Different matches\n"); + goto out; + } + + if (!compare_targets(cs->target, this.target)) { + DEBUGP("Different target\n"); + goto out; + } + + if ((!cs->target || !this.target) && + strcmp(cs->jumpto, this.jumpto) != 0) { + DEBUGP("Different verdict\n"); + goto out; + } + + ret = true; +out: + h->ops->clear_cs(&this); + h->ops->clear_cs(cs); + return ret; +} + static struct nftnl_rule * nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, struct nftnl_rule *rule, int rulenum) @@ -2138,7 +2177,7 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, r = nftnl_rule_iter_next(iter); while (r != NULL) { - found = h->ops->rule_find(h, r, rule); + found = nft_rule_cmp(h, r, rule); if (found) break; r = nftnl_rule_iter_next(iter); -- cgit v1.2.3