From f930cc50031851c6975058e33408214ad0c240b6 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 9 Jan 2014 18:54:02 +0000 Subject: nftables: fix supression of "permission denied" errors Introduction of batch support broke displaying of EPERM since those are generated by the kernel before batch processing starts and thus have the sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the command messages. Also only a single error message is generated for the entire batch. This patch fixes this by noting the batch sequence number and displaying the error for all commands since this is what would happen if the permission check was inside batch processing as every other check. Signed-off-by: Patrick McHardy --- src/main.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'src/main.c') diff --git a/src/main.c b/src/main.c index 0c97120b..32a991a6 100644 --- a/src/main.c +++ b/src/main.c @@ -156,9 +156,10 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs) struct cmd *cmd, *next; struct mnl_err *err, *tmp; LIST_HEAD(err_list); + uint32_t batch_seqnum; int ret = 0; - mnl_batch_begin(); + batch_seqnum = mnl_batch_begin(); list_for_each_entry(cmd, &state->cmds, list) { memset(&ctx, 0, sizeof(ctx)); ctx.msgs = msgs; @@ -179,12 +180,15 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs) list_for_each_entry_safe(err, tmp, &err_list, head) { list_for_each_entry(cmd, &state->cmds, list) { - if (err->seqnum == cmd->seqnum) { + if (err->seqnum == cmd->seqnum || + err->seqnum == batch_seqnum) { netlink_io_error(&ctx, &cmd->location, "Could not process rule in batch: %s", strerror(err->err)); - mnl_err_list_free(err); - break; + if (err->seqnum == cmd->seqnum) { + mnl_err_list_free(err); + break; + } } } } -- cgit v1.2.3