diff options
Diffstat (limited to 'src/rule.c')
| -rw-r--r-- | src/rule.c | 398 |
1 files changed, 234 insertions, 164 deletions
@@ -8,11 +8,10 @@ * Development of this code funded by Astaro AG (http://www.astaro.com/) */ +#include <nft.h> + #include <stddef.h> -#include <stdlib.h> #include <stdio.h> -#include <stdint.h> -#include <string.h> #include <inttypes.h> #include <errno.h> @@ -27,6 +26,7 @@ #include <cache.h> #include <owner.h> #include <intervals.h> +#include "nftutils.h" #include <libnftnl/common.h> #include <libnftnl/ruleset.h> @@ -76,7 +76,7 @@ static uint32_t udp_dflt_timeout[] = { [NFTNL_CTTIMEOUT_UDP_REPLIED] = 120, }; -struct timeout_protocol timeout_protocol[IPPROTO_MAX] = { +struct timeout_protocol timeout_protocol[UINT8_MAX + 1] = { [IPPROTO_TCP] = { .array_size = NFTNL_CTTIMEOUT_TCP_MAX, .state_to_name = tcp_state_to_name, @@ -104,11 +104,11 @@ int timeout_str2num(uint16_t l4proto, struct timeout_state *ts) void handle_free(struct handle *h) { - xfree(h->table.name); - xfree(h->chain.name); - xfree(h->set.name); - xfree(h->flowtable.name); - xfree(h->obj.name); + free_const(h->table.name); + free_const(h->chain.name); + free_const(h->set.name); + free_const(h->flowtable.name); + free_const(h->obj.name); } void handle_merge(struct handle *dst, const struct handle *src) @@ -146,11 +146,12 @@ struct set *set_alloc(const struct location *loc) { struct set *set; + assert(loc); + set = xzalloc(sizeof(*set)); set->refcnt = 1; set->handle.set_id = ++set_id; - if (loc != NULL) - set->location = *loc; + set->location = *loc; init_list_head(&set->stmt_list); @@ -161,7 +162,7 @@ struct set *set_clone(const struct set *set) { struct set *new_set; - new_set = set_alloc(NULL); + new_set = set_alloc(&internal_location); handle_merge(&new_set->handle, &set->handle); new_set->flags = set->flags; new_set->gc_int = set->gc_int; @@ -190,16 +191,16 @@ void set_free(struct set *set) if (--set->refcnt > 0) return; - if (set->init != NULL) - expr_free(set->init); + + expr_free(set->init); if (set->comment) - xfree(set->comment); + free_const(set->comment); handle_free(&set->handle); list_for_each_entry_safe(stmt, next, &set->stmt_list, list) stmt_free(stmt); expr_free(set->key); expr_free(set->data); - xfree(set); + free(set); } struct set *set_lookup_fuzzy(const char *set_name, @@ -210,6 +211,9 @@ struct set *set_lookup_fuzzy(const char *set_name, struct table *table; struct set *set; + if (!set_name) + return NULL; + string_misspell_init(&st); list_for_each_entry(table, &cache->table_cache.list, cache.list) { @@ -334,10 +338,13 @@ static void set_print_declaration(const struct set *set, } if (set->desc.size > 0) { - nft_print(octx, "%s%ssize %u%s", + nft_print(octx, "%s%ssize %u", opts->tab, opts->tab, - set->desc.size, - opts->stmt_separator); + set->desc.size); + if (set->count > 0) + nft_print(octx, "%s# count %u", opts->tab, + set->count); + nft_print(octx, "%s", opts->stmt_separator); } } @@ -417,9 +424,18 @@ static void do_set_print(const struct set *set, struct print_fmt_options *opts, return; } - if (set->init != NULL && set->init->size > 0) { + if (set->init != NULL && expr_set(set->init)->size > 0) { nft_print(octx, "%s%selements = ", opts->tab, opts->tab); + + if (set->timeout || set->elem_has_comment || + (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT | + NFT_SET_TIMEOUT | NFT_SET_CONCAT)) || + !list_empty(&set->stmt_list)) + octx->force_newline = true; + expr_print(set->init, octx); + octx->force_newline = false; + nft_print(octx, "%s", opts->nl); } nft_print(octx, "%s}%s", opts->tab, opts->nl); @@ -453,6 +469,8 @@ struct rule *rule_alloc(const struct location *loc, const struct handle *h) { struct rule *rule; + assert(loc); + rule = xzalloc(sizeof(*rule)); rule->location = *loc; init_list_head(&rule->list); @@ -476,16 +494,18 @@ void rule_free(struct rule *rule) return; stmt_list_free(&rule->stmts); handle_free(&rule->handle); - xfree(rule->comment); - xfree(rule); + free_const(rule->comment); + free(rule); } void rule_print(const struct rule *rule, struct output_ctx *octx) { + const struct stmt_ops *ops; const struct stmt *stmt; list_for_each_entry(stmt, &rule->stmts, list) { - stmt->ops->print(stmt, octx); + ops = stmt_ops(stmt); + ops->print(stmt, octx); if (!list_is_last(&stmt->list, &rule->stmts)) nft_print(octx, " "); } @@ -554,16 +574,16 @@ void scope_release(const struct scope *scope) list_for_each_entry_safe(sym, next, &scope->symbols, list) { assert(sym->refcnt == 1); list_del(&sym->list); - xfree(sym->identifier); + free_const(sym->identifier); expr_free(sym->expr); - xfree(sym); + free(sym); } } void scope_free(struct scope *scope) { scope_release(scope); - xfree(scope); + free(scope); } void symbol_bind(struct scope *scope, const char *identifier, struct expr *expr) @@ -594,9 +614,9 @@ struct symbol *symbol_get(const struct scope *scope, const char *identifier) static void symbol_put(struct symbol *sym) { if (--sym->refcnt == 0) { - xfree(sym->identifier); + free_const(sym->identifier); expr_free(sym->expr); - xfree(sym); + free(sym); } } @@ -695,17 +715,16 @@ const char *chain_hookname_lookup(const char *name) /* internal ID to uniquely identify a set in the batch */ static uint32_t chain_id; -struct chain *chain_alloc(const char *name) +struct chain *chain_alloc(void) { struct chain *chain; chain = xzalloc(sizeof(*chain)); + chain->location = internal_location; chain->refcnt = 1; chain->handle.chain_id = ++chain_id; init_list_head(&chain->rules); init_list_head(&chain->scope.symbols); - if (name != NULL) - chain->handle.chain.name = xstrdup(name); chain->policy = NULL; return chain; @@ -727,16 +746,20 @@ void chain_free(struct chain *chain) list_for_each_entry_safe(rule, next, &chain->rules, list) rule_free(rule); handle_free(&chain->handle); - scope_release(&chain->scope); - xfree(chain->type.str); + free_const(chain->type.str); expr_free(chain->dev_expr); for (i = 0; i < chain->dev_array_len; i++) - xfree(chain->dev_array[i]); - xfree(chain->dev_array); + free_const(chain->dev_array[i]); + free(chain->dev_array); expr_free(chain->priority.expr); expr_free(chain->policy); - xfree(chain->comment); - xfree(chain); + free_const(chain->comment); + + /* MUST be released after all expressions, they could + * hold refcounts. + */ + scope_release(&chain->scope); + free(chain); } struct chain *chain_binding_lookup(const struct table *table, @@ -864,7 +887,7 @@ struct prio_tag { const char *str; }; -const static struct prio_tag std_prios[] = { +static const struct prio_tag std_prios[] = { { NF_IP_PRI_RAW, "raw" }, { NF_IP_PRI_MANGLE, "mangle" }, { NF_IP_PRI_NAT_DST, "dstnat" }, @@ -873,7 +896,7 @@ const static struct prio_tag std_prios[] = { { NF_IP_PRI_NAT_SRC, "srcnat" }, }; -const static struct prio_tag bridge_std_prios[] = { +static const struct prio_tag bridge_std_prios[] = { { NF_BR_PRI_NAT_DST_BRIDGED, "dstnat" }, { NF_BR_PRI_FILTER_BRIDGED, "filter" }, { NF_BR_PRI_NAT_DST_OTHER, "out" }, @@ -927,7 +950,8 @@ static bool std_prio_family_hook_compat(int prio, int family, int hook) case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: - if (hook == NF_INET_PRE_ROUTING) + if (hook == NF_INET_PRE_ROUTING || + hook == NF_INET_LOCAL_OUT) return true; } break; @@ -936,7 +960,8 @@ static bool std_prio_family_hook_compat(int prio, int family, int hook) case NFPROTO_INET: case NFPROTO_IPV4: case NFPROTO_IPV6: - if (hook == NF_INET_POST_ROUTING) + if (hook == NF_INET_LOCAL_IN || + hook == NF_INET_POST_ROUTING) return true; } } @@ -969,10 +994,11 @@ static const char *prio2str(const struct output_ctx *octx, const struct expr *expr) { const struct prio_tag *prio_arr; - int std_prio, offset, prio; + const uint32_t reach = 10; const char *std_prio_str; - const int reach = 10; + int std_prio, prio; size_t i, arr_size; + int64_t offset; mpz_export_data(&prio, expr->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); if (family == NFPROTO_BRIDGE) { @@ -987,19 +1013,21 @@ static const char *prio2str(const struct output_ctx *octx, for (i = 0; i < arr_size; ++i) { std_prio = prio_arr[i].val; std_prio_str = prio_arr[i].str; - if (abs(prio - std_prio) <= reach) { + + offset = (int64_t)prio - std_prio; + if (llabs(offset) <= reach) { if (!std_prio_family_hook_compat(std_prio, family, hook)) break; - offset = prio - std_prio; + strncpy(buf, std_prio_str, bufsize); if (offset > 0) snprintf(buf + strlen(buf), - bufsize - strlen(buf), " + %d", + bufsize - strlen(buf), " + %" PRIu64, offset); else if (offset < 0) snprintf(buf + strlen(buf), - bufsize - strlen(buf), " - %d", + bufsize - strlen(buf), " - %" PRIu64, -offset); return buf; } @@ -1025,23 +1053,27 @@ static void chain_print_declaration(const struct chain *chain, nft_print(octx, "\n\t\tcomment \"%s\"", chain->comment); nft_print(octx, "\n"); if (chain->flags & CHAIN_F_BASECHAIN) { - nft_print(octx, "\t\ttype %s hook %s", chain->type.str, - hooknum2str(chain->handle.family, chain->hook.num)); + if (chain->type.str) + nft_print(octx, "\t\ttype %s hook %s", chain->type.str, + hooknum2str(chain->handle.family, chain->hook.num)); + if (chain->dev_array_len == 1) { nft_print(octx, " device \"%s\"", chain->dev_array[0]); } else if (chain->dev_array_len > 1) { nft_print(octx, " devices = { "); for (i = 0; i < chain->dev_array_len; i++) { - nft_print(octx, "%s", chain->dev_array[i]); + nft_print(octx, "\"%s\"", chain->dev_array[i]); if (i + 1 != chain->dev_array_len) nft_print(octx, ", "); } nft_print(octx, " }"); } - nft_print(octx, " priority %s;", - prio2str(octx, priobuf, sizeof(priobuf), - chain->handle.family, chain->hook.num, - chain->priority.expr)); + + if (chain->priority.expr) + nft_print(octx, " priority %s;", + prio2str(octx, priobuf, sizeof(priobuf), + chain->handle.family, chain->hook.num, + chain->priority.expr)); if (chain->policy) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); @@ -1091,8 +1123,21 @@ void chain_print_plain(const struct chain *chain, struct output_ctx *octx) if (chain->flags & CHAIN_F_BASECHAIN) { mpz_export_data(&policy, chain->policy->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); - nft_print(octx, " { type %s hook %s priority %s; policy %s; }", - chain->type.str, chain->hook.name, + nft_print(octx, " { type %s hook %s ", + chain->type.str, chain->hook.name); + + if (chain->dev_array_len > 0) { + int i; + + nft_print(octx, "devices = { "); + for (i = 0; i < chain->dev_array_len; i++) { + nft_print(octx, "%s", chain->dev_array[i]); + if (i + 1 != chain->dev_array_len) + nft_print(octx, ", "); + } + nft_print(octx, " } "); + } + nft_print(octx, "priority %s; policy %s; }", prio2str(octx, priobuf, sizeof(priobuf), chain->handle.family, chain->hook.num, chain->priority.expr), @@ -1107,6 +1152,7 @@ struct table *table_alloc(void) struct table *table; table = xzalloc(sizeof(*table)); + table->location = internal_location; init_list_head(&table->chains); init_list_head(&table->sets); init_list_head(&table->objs); @@ -1133,7 +1179,7 @@ void table_free(struct table *table) if (--table->refcnt > 0) return; if (table->comment) - xfree(table->comment); + free_const(table->comment); list_for_each_entry_safe(chain, next, &table->chains, list) chain_free(chain); list_for_each_entry_safe(chain, next, &table->chain_bindings, cache.list) @@ -1163,7 +1209,7 @@ void table_free(struct table *table) cache_free(&table->set_cache); cache_free(&table->obj_cache); cache_free(&table->ft_cache); - xfree(table); + free(table); } struct table *table_get(struct table *table) @@ -1178,6 +1224,9 @@ struct table *table_lookup_fuzzy(const struct handle *h, struct string_misspell_state st; struct table *table; + if (!h->table.name) + return NULL; + string_misspell_init(&st); list_for_each_entry(table, &cache->table_cache.list, cache.list) { @@ -1190,6 +1239,7 @@ struct table *table_lookup_fuzzy(const struct handle *h, static const char *table_flags_name[TABLE_FLAGS_MAX] = { "dormant", "owner", + "persist", }; const char *table_flag_name(uint32_t flag) @@ -1200,6 +1250,17 @@ const char *table_flag_name(uint32_t flag) return table_flags_name[flag]; } +unsigned int parse_table_flag(const char *name) +{ + int i; + + for (i = 0; i < TABLE_FLAGS_MAX; i++) { + if (!strcmp(name, table_flags_name[i])) + return 1 << i; + } + return 0; +} + static void table_print_flags(const struct table *table, const char **delim, struct output_ctx *octx) { @@ -1283,6 +1344,8 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, { struct cmd *cmd; + assert(loc); + cmd = xzalloc(sizeof(*cmd)); init_list_head(&cmd->list); cmd->op = op; @@ -1293,7 +1356,6 @@ struct cmd *cmd_alloc(enum cmd_ops op, enum cmd_obj obj, cmd->attr = xzalloc_array(NFT_NLATTR_LOC_MAX, sizeof(struct nlerr_loc)); cmd->attr_array_len = NFT_NLATTR_LOC_MAX; - init_list_head(&cmd->collapse_list); return cmd; } @@ -1310,7 +1372,7 @@ struct markup *markup_alloc(uint32_t format) void markup_free(struct markup *m) { - xfree(m); + free(m); } struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event) @@ -1328,12 +1390,15 @@ struct monitor *monitor_alloc(uint32_t format, uint32_t type, const char *event) void monitor_free(struct monitor *m) { - xfree(m->event); - xfree(m); + free_const(m->event); + free(m); } void cmd_free(struct cmd *cmd) { + if (cmd == NULL) + return; + handle_free(&cmd->handle); if (cmd->data != NULL) { switch (cmd->obj) { @@ -1343,6 +1408,8 @@ void cmd_free(struct cmd *cmd) set_free(cmd->elem.set); break; case CMD_OBJ_SET: + case CMD_OBJ_MAP: + case CMD_OBJ_METER: case CMD_OBJ_SETELEMS: set_free(cmd->set); break; @@ -1381,9 +1448,9 @@ void cmd_free(struct cmd *cmd) BUG("invalid command object type %u\n", cmd->obj); } } - xfree(cmd->attr); - xfree(cmd->arg); - xfree(cmd); + free(cmd->attr); + free_const(cmd->arg); + free(cmd); } #include <netlink.h> @@ -1392,7 +1459,7 @@ void cmd_free(struct cmd *cmd) static int __do_add_elements(struct netlink_ctx *ctx, struct cmd *cmd, struct set *set, struct expr *expr, uint32_t flags) { - expr->set_flags |= set->flags; + expr_set(expr)->set_flags |= set->flags; if (mnl_nft_setelem_add(ctx, cmd, set, expr, flags) < 0) return -1; @@ -1435,7 +1502,13 @@ static int do_add_set(struct netlink_ctx *ctx, struct cmd *cmd, return -1; } - return mnl_nft_set_add(ctx, cmd, flags); + if (mnl_nft_set_add(ctx, cmd, flags) < 0) + return -1; + + if (set_is_anonymous(set->flags)) + return __do_add_elements(ctx, cmd, set, set->init, flags); + + return 0; } static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) @@ -1504,14 +1577,14 @@ static int do_command_insert(struct netlink_ctx *ctx, struct cmd *cmd) static int do_delete_setelems(struct netlink_ctx *ctx, struct cmd *cmd) { + const struct set *set = cmd->elem.set; struct expr *expr = cmd->elem.expr; - struct set *set = cmd->elem.set; if (set_is_non_concat_range(set) && set_to_intervals(set, expr, false) < 0) return -1; - if (mnl_nft_setelem_del(ctx, cmd, &cmd->handle, cmd->elem.expr) < 0) + if (mnl_nft_setelem_del(ctx, cmd, &cmd->handle, set, cmd->elem.expr) < 0) return -1; return 0; @@ -1561,11 +1634,6 @@ static int do_list_table(struct netlink_ctx *ctx, struct table *table) static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd) { - struct print_fmt_options opts = { - .tab = "\t", - .nl = "\n", - .stmt_separator = "\n", - }; struct table *table; struct set *set; @@ -1583,13 +1651,12 @@ static int do_list_sets(struct netlink_ctx *ctx, struct cmd *cmd) !set_is_literal(set->flags)) continue; if (cmd->obj == CMD_OBJ_METERS && - !set_is_meter(set->flags)) + !set_is_meter_compat(set->flags)) continue; if (cmd->obj == CMD_OBJ_MAPS && !map_is_literal(set->flags)) continue; - set_print_declaration(set, &opts, &ctx->nft->output); - nft_print(&ctx->nft->output, "%s}%s", opts.tab, opts.nl); + set_print(set, &ctx->nft->output); } nft_print(&ctx->nft->output, "}\n"); @@ -1601,9 +1668,10 @@ struct obj *obj_alloc(const struct location *loc) { struct obj *obj; + assert(loc); + obj = xzalloc(sizeof(*obj)); - if (loc != NULL) - obj->location = *loc; + obj->location = *loc; obj->refcnt = 1; return obj; @@ -1619,18 +1687,18 @@ void obj_free(struct obj *obj) { if (--obj->refcnt > 0) return; - xfree(obj->comment); + free_const(obj->comment); handle_free(&obj->handle); if (obj->type == NFT_OBJECT_CT_TIMEOUT) { struct timeout_state *ts, *next; list_for_each_entry_safe(ts, next, &obj->ct_timeout.timeout_list, head) { list_del(&ts->head); - xfree(ts->timeout_str); - xfree(ts); + free_const(ts->timeout_str); + free(ts); } } - xfree(obj); + free(obj); } struct obj *obj_lookup_fuzzy(const char *obj_name, @@ -1641,6 +1709,9 @@ struct obj *obj_lookup_fuzzy(const char *obj_name, struct table *table; struct obj *obj; + if (!obj_name) + return NULL; + string_misspell_init(&st); list_for_each_entry(table, &cache->table_cache.list, cache.list) { @@ -1655,10 +1726,10 @@ struct obj *obj_lookup_fuzzy(const char *obj_name, static void print_proto_name_proto(uint8_t l4, struct output_ctx *octx) { - const struct protoent *p = getprotobynumber(l4); + char name[NFT_PROTONAME_MAXSIZE]; - if (p) - nft_print(octx, "%s", p->p_name); + if (nft_getprotobynumber(l4, name, sizeof(name))) + nft_print(octx, "%s", name); else nft_print(octx, "%d", l4); } @@ -1673,11 +1744,14 @@ static void print_proto_timeout_policy(uint8_t l4, const uint32_t *timeout, nft_print(octx, "%s%spolicy = { ", opts->tab, opts->tab); for (i = 0; i < timeout_protocol[l4].array_size; i++) { if (timeout[i] != timeout_protocol[l4].dflt_timeout[i]) { + uint64_t timeout_ms; + if (comma) nft_print(octx, ", "); - nft_print(octx, "%s : %u", - timeout_protocol[l4].state_to_name[i], - timeout[i]); + timeout_ms = timeout[i] * 1000u; + nft_print(octx, "%s : ", + timeout_protocol[l4].state_to_name[i]); + time_print(timeout_ms, octx); comma = true; } } @@ -1899,7 +1973,7 @@ static const char * const obj_type_name_array[] = { [NFT_OBJECT_CT_EXPECT] = "ct expectation", }; -const char *obj_type_name(enum stmt_types type) +const char *obj_type_name(unsigned int type) { assert(type <= NFT_OBJECT_MAX && obj_type_name_array[type]); @@ -1917,7 +1991,7 @@ static uint32_t obj_type_cmd_array[NFT_OBJECT_MAX + 1] = { [NFT_OBJECT_CT_EXPECT] = CMD_OBJ_CT_EXPECT, }; -uint32_t obj_type_to_cmd(uint32_t type) +enum cmd_obj obj_type_to_cmd(uint32_t type) { assert(type <= NFT_OBJECT_MAX && obj_type_cmd_array[type]); @@ -2009,9 +2083,10 @@ struct flowtable *flowtable_alloc(const struct location *loc) { struct flowtable *flowtable; + assert(loc); + flowtable = xzalloc(sizeof(*flowtable)); - if (loc != NULL) - flowtable->location = *loc; + flowtable->location = *loc; flowtable->refcnt = 1; return flowtable; @@ -2035,10 +2110,10 @@ void flowtable_free(struct flowtable *flowtable) if (flowtable->dev_array != NULL) { for (i = 0; i < flowtable->dev_array_len; i++) - xfree(flowtable->dev_array[i]); - xfree(flowtable->dev_array); + free_const(flowtable->dev_array[i]); + free(flowtable->dev_array); } - xfree(flowtable); + free(flowtable); } static void flowtable_print_declaration(const struct flowtable *flowtable, @@ -2061,17 +2136,20 @@ static void flowtable_print_declaration(const struct flowtable *flowtable, if (nft_output_handle(octx)) nft_print(octx, " # handle %" PRIu64, flowtable->handle.handle.id); nft_print(octx, "%s", opts->nl); - nft_print(octx, "%s%shook %s priority %s%s", - opts->tab, opts->tab, - hooknum2str(NFPROTO_NETDEV, flowtable->hook.num), - prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV, - flowtable->hook.num, flowtable->priority.expr), - opts->stmt_separator); + + if (flowtable->priority.expr) { + nft_print(octx, "%s%shook %s priority %s%s", + opts->tab, opts->tab, + hooknum2str(NFPROTO_NETDEV, flowtable->hook.num), + prio2str(octx, priobuf, sizeof(priobuf), NFPROTO_NETDEV, + flowtable->hook.num, flowtable->priority.expr), + opts->stmt_separator); + } if (flowtable->dev_array_len > 0) { nft_print(octx, "%s%sdevices = { ", opts->tab, opts->tab); for (i = 0; i < flowtable->dev_array_len; i++) { - nft_print(octx, "%s", flowtable->dev_array[i]); + nft_print(octx, "\"%s\"", flowtable->dev_array[i]); if (i + 1 != flowtable->dev_array_len) nft_print(octx, ", "); } @@ -2106,6 +2184,21 @@ void flowtable_print(const struct flowtable *s, struct output_ctx *octx) do_flowtable_print(s, &opts, octx); } +void flowtable_print_plain(const struct flowtable *ft, struct output_ctx *octx) +{ + struct print_fmt_options opts = { + .tab = "", + .nl = " ", + .table = ft->handle.table.name, + .family = family2str(ft->handle.family), + .stmt_separator = "; ", + }; + + flowtable_print_declaration(ft, &opts, octx); + nft_print(octx, "}"); +} + + struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, const struct nft_cache *cache, const struct table **t) @@ -2114,6 +2207,9 @@ struct flowtable *flowtable_lookup_fuzzy(const char *ft_name, struct table *table; struct flowtable *ft; + if (!ft_name) + return NULL; + string_misspell_init(&st); list_for_each_entry(table, &cache->table_cache.list, cache.list) { @@ -2276,11 +2372,13 @@ static void __do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, struct table *table) { - struct set *set; + struct set *set = cmd->set; - set = set_cache_find(table, cmd->handle.set.name); - if (set == NULL) - return -1; + if (!set) { + set = set_cache_find(table, cmd->handle.set.name); + if (set == NULL) + return -1; + } __do_list_set(ctx, cmd, set); @@ -2290,12 +2388,8 @@ static int do_list_set(struct netlink_ctx *ctx, struct cmd *cmd, static int do_list_hooks(struct netlink_ctx *ctx, struct cmd *cmd) { const char *devname = cmd->handle.obj.name; - int hooknum = -1; - if (cmd->handle.chain.name) - hooknum = cmd->handle.chain_id; - - return mnl_nft_dump_nf_hooks(ctx, cmd->handle.family, hooknum, devname); + return mnl_nft_dump_nf_hooks(ctx, cmd->handle.family, devname); } static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) @@ -2305,10 +2399,16 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) if (nft_output_json(&ctx->nft->output)) return do_command_list_json(ctx, cmd); - if (cmd->handle.table.name != NULL) + if (cmd->handle.table.name != NULL) { table = table_cache_find(&ctx->nft->cache.table_cache, cmd->handle.table.name, cmd->handle.family); + if (!table) { + errno = ENOENT; + return -1; + } + } + switch (cmd->obj) { case CMD_OBJ_TABLE: if (!cmd->handle.table.name) @@ -2344,8 +2444,10 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_CT_HELPERS: return do_list_obj(ctx, cmd, NFT_OBJECT_CT_HELPER); case CMD_OBJ_CT_TIMEOUT: + case CMD_OBJ_CT_TIMEOUTS: return do_list_obj(ctx, cmd, NFT_OBJECT_CT_TIMEOUT); case CMD_OBJ_CT_EXPECT: + case CMD_OBJ_CT_EXPECTATIONS: return do_list_obj(ctx, cmd, NFT_OBJECT_CT_EXPECT); case CMD_OBJ_LIMIT: case CMD_OBJ_LIMITS: @@ -2362,14 +2464,22 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) return do_list_flowtables(ctx, cmd); case CMD_OBJ_HOOKS: return do_list_hooks(ctx, cmd); - default: - BUG("invalid command object type %u\n", cmd->obj); + case CMD_OBJ_MONITOR: + case CMD_OBJ_MARKUP: + case CMD_OBJ_SETELEMS: + case CMD_OBJ_EXPR: + case CMD_OBJ_ELEMENTS: + errno = EOPNOTSUPP; + return -1; + case CMD_OBJ_INVALID: + break; } + BUG("invalid command object type %u\n", cmd->obj); return 0; } -static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd) +static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd, bool reset) { struct set *set, *new_set; struct expr *init; @@ -2387,7 +2497,7 @@ static int do_get_setelems(struct netlink_ctx *ctx, struct cmd *cmd) /* Fetch from kernel the elements that have been requested .*/ err = netlink_get_setelem(ctx, &cmd->handle, &cmd->location, - cmd->elem.set, new_set, init); + cmd->elem.set, new_set, init, reset); if (err >= 0) __do_list_set(ctx, cmd, new_set); @@ -2403,7 +2513,7 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd) { switch (cmd->obj) { case CMD_OBJ_ELEMENTS: - return do_get_setelems(ctx, cmd); + return do_get_setelems(ctx, cmd, false); default: BUG("invalid command object type %u\n", cmd->obj); } @@ -2413,49 +2523,12 @@ static int do_command_get(struct netlink_ctx *ctx, struct cmd *cmd) static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) { - struct obj *obj, *next; - struct table *table; - bool dump = false; - uint32_t type; - int ret; - switch (cmd->obj) { - case CMD_OBJ_COUNTERS: - dump = true; - /* fall through */ - case CMD_OBJ_COUNTER: - type = NFT_OBJECT_COUNTER; - break; - case CMD_OBJ_QUOTAS: - dump = true; - /* fall through */ - case CMD_OBJ_QUOTA: - type = NFT_OBJECT_QUOTA; - break; - case CMD_OBJ_RULES: - ret = netlink_reset_rules(ctx, cmd, true); - if (ret < 0) - return ret; - - return do_command_list(ctx, cmd); - case CMD_OBJ_RULE: - return netlink_reset_rules(ctx, cmd, false); + case CMD_OBJ_ELEMENTS: + return do_get_setelems(ctx, cmd, true); default: - BUG("invalid command object type %u\n", cmd->obj); - } - - ret = netlink_reset_objs(ctx, cmd, type, dump); - list_for_each_entry_safe(obj, next, &ctx->list, list) { - table = table_cache_find(&ctx->nft->cache.table_cache, - obj->handle.table.name, - obj->handle.family); - if (!obj_cache_find(table, obj->handle.obj.name, obj->type)) { - list_del(&obj->list); - obj_cache_add(obj, table); - } + break; } - if (ret < 0) - return ret; return do_command_list(ctx, cmd); } @@ -2703,11 +2776,9 @@ static void stmt_reduce(const struct rule *rule) } /* Must not merge across other statements */ - if (stmt->ops->type != STMT_EXPRESSION) { - if (idx < 2) - continue; - - payload_do_merge(sa, idx); + if (stmt->type != STMT_EXPRESSION) { + if (idx >= 2) + payload_do_merge(sa, idx); idx = 0; continue; } @@ -2721,7 +2792,6 @@ static void stmt_reduce(const struct rule *rule) switch (stmt->expr->op) { case OP_EQ: case OP_IMPLICIT: - case OP_NEQ: break; default: continue; |