summaryrefslogtreecommitdiffstats
path: root/include/rule.h
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2017-06-15 14:35:33 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2017-06-16 18:59:18 +0200
commit509671dfa03365bba727b8be5e522b737da93a6f (patch)
tree1f8ed73f117cf2f37f33ad2b7a088aea312609e9 /include/rule.h
parent8ba13b7424fbfa18bd1aeebd1c4add67a1f6d2a2 (diff)
src: error reporting for nested ruleset representation
If you load a file using the nested ruleset representation, ie. the one you get via `nft list ruleset', error reporting doesn't help you much to find the problem. For example, the following ruleset points to an unexisting chain 'x': table test { chain test { type filter hook ingress priority 0; policy drop; ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x } } Error reporting is very sparse as it says: # nft -f /home/test/x /home/test/x:1:1-2: Error: Could not process rule: No such file or directory table netdev test{ ^^ So it's hard to know what is exactly missing. This patch enhances the existing logic, so nft points to the rule causing the problem, ie. # nft -f /home/test/x /home/test/x:4:17-70: Error: Could not process rule: No such file or directory ip saddr { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 } jump x ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The idea behind this patch is to expand the single table command into a list of individual commands, one per nested object inside the table. This expanded list is spliced into the existing list of commands. Thus, each command gets a sequence number that helps us correlate the error with the command that triggers it. This patch also includes reference counting for rules and objects. This was already in place for table, chain and sets. We need this since now we hold references to them from both the command and the table object itself. So the last reference releases the object from memory. Note that table objects still keep the list of chain, sets, etc. since the existing cache logic needs this to work. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/rule.h')
-rw-r--r--include/rule.h9
1 files changed, 8 insertions, 1 deletions
diff --git a/include/rule.h b/include/rule.h
index fb460640..3178a978 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -182,6 +182,7 @@ extern void chain_print_plain(const struct chain *chain);
* @stmt: list of statements
* @num_stmts: number of statements in stmts list
* @comment: comment
+ * @refcnt: rule reference counter
*/
struct rule {
struct list_head list;
@@ -190,10 +191,12 @@ struct rule {
struct list_head stmts;
unsigned int num_stmts;
const char *comment;
+ unsigned int refcnt;
};
extern struct rule *rule_alloc(const struct location *loc,
const struct handle *h);
+extern struct rule *rule_get(struct rule *rule);
extern void rule_free(struct rule *rule);
extern void rule_print(const struct rule *rule);
extern struct rule *rule_lookup(const struct chain *chain, uint64_t handle);
@@ -273,13 +276,14 @@ struct ct {
* @location: location the stateful object was defined/declared at
* @handle: counter handle
* @type: type of stateful object
+ * @refcnt: object reference counter
*/
struct obj {
struct list_head list;
struct location location;
struct handle handle;
uint32_t type;
-
+ unsigned int refcnt;
union {
struct counter counter;
struct quota quota;
@@ -288,6 +292,7 @@ struct obj {
};
struct obj *obj_alloc(const struct location *loc);
+extern struct obj *obj_get(struct obj *obj);
void obj_free(struct obj *obj);
void obj_add_hash(struct obj *obj, struct table *table);
struct obj *obj_lookup(const struct table *table, const char *name,
@@ -295,6 +300,7 @@ struct obj *obj_lookup(const struct table *table, const char *name,
void obj_print(const struct obj *n);
void obj_print_plain(const struct obj *obj);
const char *obj_type_name(uint32_t type);
+uint32_t obj_type_to_cmd(uint32_t type);
/**
* enum cmd_ops - command operations
@@ -439,6 +445,7 @@ struct cmd {
extern struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj,
const struct handle *h, const struct location *loc,
void *data);
+extern void nft_cmd_expand(struct cmd *cmd);
extern struct cmd *cmd_alloc_obj_ct(enum cmd_ops op, int type,
const struct handle *h,
const struct location *loc, void *data);