|
|
21c891 |
From 838a1561e4812601a35e294523c7aaf5361c60ef Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Tue, 13 Nov 2018 16:00:30 -0500
|
|
|
21c891 |
Subject: [PATCH 17/34] nftables: build rule_key properly for delete verb
|
|
|
21c891 |
|
|
|
21c891 |
When deleting a rule make sure to strip the index/position from the rule
|
|
|
21c891 |
string.
|
|
|
21c891 |
|
|
|
21c891 |
(cherry picked from commit 7b40ad43f120dd08176fb3c52cdc94722f0a72bb)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/nftables.py | 32 +++++++++++++++++---------------
|
|
|
21c891 |
1 file changed, 17 insertions(+), 15 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
21c891 |
index a1cb2c474737..47b1c27dc8cc 100644
|
|
|
21c891 |
--- a/src/firewall/core/nftables.py
|
|
|
21c891 |
+++ b/src/firewall/core/nftables.py
|
|
|
21c891 |
@@ -169,6 +169,21 @@ class nftables(object):
|
|
|
21c891 |
nft_opts = ["--echo", "--handle"]
|
|
|
21c891 |
_args = args[:]
|
|
|
21c891 |
|
|
|
21c891 |
+ def rule_key_from_rule(rule):
|
|
|
21c891 |
+ rule_key = rule[2:]
|
|
|
21c891 |
+ if rule_key[3] in ["position", "handle", "index"]:
|
|
|
21c891 |
+ # strip "position #"
|
|
|
21c891 |
+ # "insert rule family table chain position <num>"
|
|
|
21c891 |
+ # ^^ rule_key starts here
|
|
|
21c891 |
+ try:
|
|
|
21c891 |
+ int(rule_key[4])
|
|
|
21c891 |
+ except Exception:
|
|
|
21c891 |
+ raise FirewallError(INVALID_RULE, "position without a number")
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ rule_key.pop(3)
|
|
|
21c891 |
+ rule_key.pop(3)
|
|
|
21c891 |
+ return " ".join(rule_key)
|
|
|
21c891 |
+
|
|
|
21c891 |
# If we're deleting a table (i.e. build_flush_rules())
|
|
|
21c891 |
# then check if its exist first to avoid nft throwing an error
|
|
|
21c891 |
if _args[0] == "delete" and _args[1] == "table":
|
|
|
21c891 |
@@ -181,23 +196,10 @@ class nftables(object):
|
|
|
21c891 |
rule_key = None
|
|
|
21c891 |
if _args[0] in ["add", "insert"] and _args[1] == "rule":
|
|
|
21c891 |
rule_add = True
|
|
|
21c891 |
- rule_key = _args[2:]
|
|
|
21c891 |
- if rule_key[3] == "position":
|
|
|
21c891 |
- # strip "position #"
|
|
|
21c891 |
- # "insert rule family table chain position <num>"
|
|
|
21c891 |
- # ^^ rule_key starts here
|
|
|
21c891 |
- try:
|
|
|
21c891 |
- int(rule_key[4])
|
|
|
21c891 |
- except Exception:
|
|
|
21c891 |
- raise FirewallError(INVALID_RULE, "position without a number")
|
|
|
21c891 |
- else:
|
|
|
21c891 |
- rule_key.pop(3)
|
|
|
21c891 |
- rule_key.pop(3)
|
|
|
21c891 |
- rule_key = " ".join(rule_key)
|
|
|
21c891 |
+ rule_key = rule_key_from_rule(_args)
|
|
|
21c891 |
elif _args[0] in ["delete"] and _args[1] == "rule":
|
|
|
21c891 |
rule_add = False
|
|
|
21c891 |
- rule_key = _args[2:]
|
|
|
21c891 |
- rule_key = " ".join(rule_key)
|
|
|
21c891 |
+ rule_key = rule_key_from_rule(_args)
|
|
|
21c891 |
# delete using rule handle
|
|
|
21c891 |
_args = ["delete", "rule"] + _args[2:5] + \
|
|
|
21c891 |
["handle", self.rule_to_handle[rule_key]]
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|