diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-14 13:30:56 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-03-14 20:43:48 +0100 |
commit | f712d8db62b2974f69ffe968bae932f0fa3e966a (patch) | |
tree | cc8060b2aca905f4cccef48be031a28a69efea6d /tests/shell | |
parent | c5f59b8ba2be5981e55e6e1d4762a5d56c1b3df0 (diff) |
src: revisit cache population logic
We get a partial cache (tables, chains and sets) when:
* We see a set reference from a rule, since this set object may be
already defined in kernelspace and we need to fetch the datatype
for evaluation.
* We add/delete a set element, we need this to evaluate if the
element datatype is correct.
* We rename a chain, since we need to know the chain handle.
* We add a chain/set. This isn't needed for simple command line
invocations. However, since the existing codepath is also exercised
from `nft -f' context, we need to know if the object exists in the
kernel. Thus, if this a newly declared object (not yet in the kernel) we
add it to the cache, otherwise, we will not find follow up references to
this object in our cache.
We get a full cache when:
* We list the ruleset. We can provide finer grain listing though,
via partial cache, later.
* We monitor updates, since this displays incremental updates based on
the existing objects.
* We export the ruleset, since this dumps all of the existing objects.
* We push updates via `nft -f'. We need to know what objects are
already in the kernel for incremental updates. Otherwise,
cache_update() hits a bogus 'set doesn't exist' error message for
just declared set in this batch. To avoid this problem, we need a
way to differentiate between what objects in the lists that are
already defined in the kernel and what are just declared in this
batch (hint: the location structure information is set for just
declared objects).
We don't get a cache at all when:
* We flush the ruleset, this is important in case of delinearize
bugs, so you don't need to reboot or manually flush the ruleset via
libnftnl examples/nft-table-flush.
* We delete any object, except for set elements (as we describe above).
* We add a rule, so you can generate via --debug=netlink the expression
without requiring a table and chain in place.
* We describe a expression.
This patch also includes some intentional adjustments to the shell tests
to we don't get bogus errors due to changes in the list printing.
BTW, this patch also includes a revert for 97493717e738 ("evaluate: check
if table and chain exists when adding rules") since that check is not
possible anymore with this logic.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'tests/shell')
-rwxr-xr-x | tests/shell/testcases/listing/0010sets_0 | 24 | ||||
-rwxr-xr-x | tests/shell/testcases/listing/0011sets_0 | 4 |
2 files changed, 14 insertions, 14 deletions
diff --git a/tests/shell/testcases/listing/0010sets_0 b/tests/shell/testcases/listing/0010sets_0 index 42d60b4a..855cceb8 100755 --- a/tests/shell/testcases/listing/0010sets_0 +++ b/tests/shell/testcases/listing/0010sets_0 @@ -12,18 +12,6 @@ table ip6 test { type ipv6_addr } } -table inet filter { - set set0 { - type inet_service - } - set set1 { - type inet_service - flags constant - } - set set2 { - type icmpv6_type - } -} table arp test_arp { set test_set_arp00 { type inet_service @@ -37,6 +25,18 @@ table bridge test_bridge { set test_set_bridge { type inet_service } +} +table inet filter { + set set0 { + type inet_service + } + set set1 { + type inet_service + flags constant + } + set set2 { + type icmpv6_type + } }" set -e diff --git a/tests/shell/testcases/listing/0011sets_0 b/tests/shell/testcases/listing/0011sets_0 index 1bf68877..75f2895f 100755 --- a/tests/shell/testcases/listing/0011sets_0 +++ b/tests/shell/testcases/listing/0011sets_0 @@ -6,11 +6,11 @@ EXPECTED="table ip nat { } table ip6 test { } -table inet filter { -} table arp test_arp { } table bridge test_bridge { +} +table inet filter { }" set -e |