path: root/src/main.c
diff options
authorPablo Neira Ayuso <>2017-06-15 14:35:33 +0200
committerPablo Neira Ayuso <>2017-06-16 18:59:18 +0200
commit509671dfa03365bba727b8be5e522b737da93a6f (patch)
tree1f8ed73f117cf2f37f33ad2b7a088aea312609e9 /src/main.c
parent8ba13b7424fbfa18bd1aeebd1c4add67a1f6d2a2 (diff)
src: error reporting for nested ruleset representation
If you load a file using the nested ruleset representation, ie. the one you get via `nft list ruleset', error reporting doesn't help you much to find the problem. For example, the following ruleset points to an unexisting chain 'x': table test { chain test { type filter hook ingress priority 0; policy drop; ip saddr {,,, } jump x } } Error reporting is very sparse as it says: # nft -f /home/test/x /home/test/x:1:1-2: Error: Could not process rule: No such file or directory table netdev test{ ^^ So it's hard to know what is exactly missing. This patch enhances the existing logic, so nft points to the rule causing the problem, ie. # nft -f /home/test/x /home/test/x:4:17-70: Error: Could not process rule: No such file or directory ip saddr {,,, } jump x ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The idea behind this patch is to expand the single table command into a list of individual commands, one per nested object inside the table. This expanded list is spliced into the existing list of commands. Thus, each command gets a sequence number that helps us correlate the error with the command that triggers it. This patch also includes reference counting for rules and objects. This was already in place for table, chain and sets. We need this since now we hold references to them from both the command and the table object itself. So the last reference releases the object from memory. Note that table objects still keep the list of chain, sets, etc. since the existing cache logic needs this to work. Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/main.c')
1 files changed, 4 insertions, 0 deletions
diff --git a/src/main.c b/src/main.c
index 5089ff24..9ddcdf54 100644
--- a/src/main.c
+++ b/src/main.c
@@ -241,6 +241,10 @@ int nft_run(void *scanner, struct parser_state *state, struct list_head *msgs)
ret = -1;
goto err1;
+ list_for_each_entry(cmd, &state->cmds, list)
+ nft_cmd_expand(cmd);
ret = nft_netlink(state, msgs);
list_for_each_entry_safe(cmd, next, &state->cmds, list) {