rpms / iptables

Clone
Source Code
GIT

Blame SOURCES/0004-arptables-nft-use-generic-expression-parsing-functio.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   1dc35b9e66315dee6f954690d97855f152af6aed
  2.   SOURCES
  3.   0004-arptables-nft-use-generic-expression-parsing-functio.patch
Blob History Raw
1dc35b 
From abf79e364e9ef2dc355eb52d07d160b1f6c0f8c4 Mon Sep 17 00:00:00 2001
8cce6c 
From: Florian Westphal <fw@strlen.de>
8cce6c 
Date: Sun, 18 Nov 2018 12:31:33 +0100
8cce6c 
Subject: [PATCH] arptables-nft: use generic expression parsing function
8cce6c
8cce6c 
since commit d9c6a5d0977a6d8bbe772dbc31a2c4f58eec1708
8cce6c 
("xtables: merge {ip,arp}tables_command_state structs") arptables
8cce6c 
uses the shared representation.
8cce6c
8cce6c 
With only minor changes (e.g., use generic counters in command_state),
8cce6c 
in print/save functions we can use the shared nftnl expression parser
8cce6c 
too.
8cce6c
8cce6c 
arptables-legacy prints (-L) the jump target first, i.e.:
8cce6c 
-j MARK -d 0.0.0.0/8 --h-length 6 ...
8cce6c
8cce6c 
... so keep that here too.
8cce6c
8cce6c 
Signed-off-by: Florian Westphal <fw@strlen.de>
8cce6c 
(cherry picked from commit aa5d3c5b16e94036ac0dc6d44194db7b009ced53)
8cce6c 
Signed-off-by: Phil Sutter <psutter@redhat.com>
8cce6c 
---
1dc35b 
 extensions/libarpt_standard.t |  4 +-
1dc35b 
 iptables/nft-arp.c            | 92 ++++-------------------------------
1dc35b 
 2 files changed, 12 insertions(+), 84 deletions(-)
8cce6c
1dc35b 
diff --git a/extensions/libarpt_standard.t b/extensions/libarpt_standard.t
1dc35b 
index bef682afec374..195865929c8d3 100644
1dc35b 
--- a/extensions/libarpt_standard.t
1dc35b 
+++ b/extensions/libarpt_standard.t
1dc35b 
@@ -5,8 +5,8 @@
1dc35b 
 -d 192.168.0.1;=;OK
1dc35b 
 ! -d 0.0.0.0;=;OK
1dc35b 
 -d 0.0.0.0/24;=;OK
1dc35b 
--i lo;=;OK
1dc35b 
-! -i lo;=;OK
1dc35b 
+-i lo -j DROP;-i lo --h-length 6 --h-type 1 -j DROP;OK
1dc35b 
+! -i lo -j ACCEPT;! -i lo --h-length 6 --h-type 1 -j ACCEPT;OK
1dc35b 
 -i ppp+;=;OK
1dc35b 
 ! -i ppp+;=;OK
1dc35b 
 -i lo --destination-mac 11:22:33:44:55:66;-i lo --dst-mac 11:22:33:44:55:66;OK
8cce6c 
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
8cce6c 
index 1a98996f94bda..37850bd328b71 100644
8cce6c 
--- a/iptables/nft-arp.c
8cce6c 
+++ b/iptables/nft-arp.c
8cce6c 
@@ -412,56 +412,6 @@ static void nft_arp_parse_payload(struct nft_xt_ctx *ctx,
8cce6c 
 	}
8cce6c 
 }
8cce6c
8cce6c 
-static void nft_arp_rule_to_cs(const struct nftnl_rule *r,
8cce6c 
-			       struct iptables_command_state *cs)
8cce6c 
-{
8cce6c 
-	struct nftnl_expr_iter *iter;
8cce6c 
-	struct nftnl_expr *expr;
8cce6c 
-	int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY);
8cce6c 
-	struct nft_xt_ctx ctx = {
8cce6c 
-		.cs = cs,
8cce6c 
-		.family = family,
8cce6c 
-	};
8cce6c 
-
8cce6c 
-	iter = nftnl_expr_iter_create(r);
8cce6c 
-	if (iter == NULL)
8cce6c 
-		return;
8cce6c 
-
8cce6c 
-	ctx.iter = iter;
8cce6c 
-	expr = nftnl_expr_iter_next(iter);
8cce6c 
-	while (expr != NULL) {
8cce6c 
-		const char *name =
8cce6c 
-			nftnl_expr_get_str(expr, NFTNL_EXPR_NAME);
8cce6c 
-
8cce6c 
-		if (strcmp(name, "counter") == 0)
8cce6c 
-			nft_parse_counter(expr, &ctx.cs->arp.counters);
8cce6c 
-		else if (strcmp(name, "payload") == 0)
8cce6c 
-			nft_parse_payload(&ctx, expr);
8cce6c 
-		else if (strcmp(name, "meta") == 0)
8cce6c 
-			nft_parse_meta(&ctx, expr);
8cce6c 
-		else if (strcmp(name, "bitwise") == 0)
8cce6c 
-			nft_parse_bitwise(&ctx, expr);
8cce6c 
-		else if (strcmp(name, "cmp") == 0)
8cce6c 
-			nft_parse_cmp(&ctx, expr);
8cce6c 
-		else if (strcmp(name, "immediate") == 0)
8cce6c 
-			nft_parse_immediate(&ctx, expr);
8cce6c 
-		else if (strcmp(name, "target") == 0)
8cce6c 
-			nft_parse_target(&ctx, expr);
8cce6c 
-
8cce6c 
-		expr = nftnl_expr_iter_next(iter);
8cce6c 
-	}
8cce6c 
-
8cce6c 
-	nftnl_expr_iter_destroy(iter);
8cce6c 
-
8cce6c 
-	if (cs->jumpto != NULL)
8cce6c 
-		return;
8cce6c 
-
8cce6c 
-	if (cs->target != NULL && cs->target->name != NULL)
8cce6c 
-		cs->target = xtables_find_target(cs->target->name, XTF_TRY_LOAD);
8cce6c 
-	else
8cce6c 
-		cs->jumpto = "";
8cce6c 
-}
8cce6c 
-
8cce6c 
 static void nft_arp_print_header(unsigned int format, const char *chain,
8cce6c 
 				 const char *pol,
8cce6c 
 				 const struct xt_counters *counters,
8cce6c 
@@ -627,14 +577,6 @@ after_devdst:
8cce6c 
 	}
8cce6c 
 }
8cce6c
8cce6c 
-static void nft_arp_save_counters(const void *data)
8cce6c 
-{
8cce6c 
-	const struct iptables_command_state *cs = data;
8cce6c 
-
8cce6c 
-	printf("[%llu:%llu] ", (unsigned long long)cs->arp.counters.pcnt,
8cce6c 
-			       (unsigned long long)cs->arp.counters.bcnt);
8cce6c 
-}
8cce6c 
-
8cce6c 
 static void
8cce6c 
 nft_arp_save_rule(const void *data, unsigned int format)
8cce6c 
 {
8cce6c 
@@ -643,17 +585,7 @@ nft_arp_save_rule(const void *data, unsigned int format)
8cce6c 
 	format |= FMT_NUMERIC;
8cce6c
8cce6c 
 	nft_arp_print_rule_details(&cs->arp, format);
8cce6c 
-
8cce6c 
-	if (cs->jumpto != NULL && strcmp(cs->jumpto, "") != 0) {
8cce6c 
-		printf("-j %s", cs->jumpto);
8cce6c 
-	} else if (cs->target) {
8cce6c 
-		printf("-j %s", cs->target->name);
8cce6c 
-		if (cs->target->save != NULL)
8cce6c 
-			cs->target->save(&cs->arp, cs->target->t);
8cce6c 
-	}
8cce6c 
-
8cce6c 
-	if (!(format & FMT_NONEWLINE))
8cce6c 
-		fputc('\n', stdout);
8cce6c 
+	save_matches_and_target(cs, false, &cs->arp, format);
8cce6c 
 }
8cce6c
8cce6c 
 static void
8cce6c 
@@ -664,22 +596,18 @@ nft_arp_print_rule(struct nftnl_rule *r, unsigned int num, unsigned int format)
8cce6c 
 	if (format & FMT_LINENUMBERS)
8cce6c 
 		printf("%u ", num);
8cce6c
8cce6c 
-	nft_arp_rule_to_cs(r, &cs);
8cce6c 
+	nft_rule_to_iptables_command_state(r, &cs);
8cce6c
8cce6c 
+	if (cs.jumpto)
8cce6c 
+		printf("-j %s ", cs.jumpto);
8cce6c 
 	nft_arp_print_rule_details(&cs.arp, format);
8cce6c 
-
8cce6c 
-	if (cs.jumpto != NULL && strcmp(cs.jumpto, "") != 0) {
8cce6c 
-		printf("-j %s", cs.jumpto);
8cce6c 
-	} else if (cs.target) {
8cce6c 
-		printf("-j %s", cs.target->name);
8cce6c 
-		cs.target->print(&cs.arp, cs.target->t, format & FMT_NUMERIC);
8cce6c 
-	}
8cce6c 
+	print_matches_and_target(&cs, format);
8cce6c
8cce6c 
 	if (!(format & FMT_NOCOUNTS)) {
8cce6c 
 		printf(", pcnt=");
8cce6c 
-		xtables_print_num(cs.arp.counters.pcnt, format);
8cce6c 
+		xtables_print_num(cs.counters.pcnt, format);
8cce6c 
 		printf("-- bcnt=");
8cce6c 
-		xtables_print_num(cs.arp.counters.bcnt, format);
8cce6c 
+		xtables_print_num(cs.counters.bcnt, format);
8cce6c 
 	}
8cce6c
8cce6c 
 	if (!(format & FMT_NONEWLINE))
8cce6c 
@@ -720,7 +648,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
8cce6c 
 	struct iptables_command_state this = {};
8cce6c
8cce6c 
 	/* Delete by matching rule case */
8cce6c 
-	nft_arp_rule_to_cs(r, &this;;
8cce6c 
+	nft_rule_to_iptables_command_state(r, &this;;
8cce6c
8cce6c 
 	if (!nft_arp_is_same(&cs->arp, &this.arp))
8cce6c 
 		return false;
8cce6c 
@@ -751,10 +679,10 @@ struct nft_family_ops nft_family_ops_arp = {
8cce6c 
 	.print_header		= nft_arp_print_header,
8cce6c 
 	.print_rule		= nft_arp_print_rule,
8cce6c 
 	.save_rule		= nft_arp_save_rule,
8cce6c 
-	.save_counters		= nft_arp_save_counters,
8cce6c 
+	.save_counters		= save_counters,
8cce6c 
 	.save_chain		= nft_arp_save_chain,
8cce6c 
 	.post_parse		= NULL,
8cce6c 
-	.rule_to_cs		= nft_arp_rule_to_cs,
8cce6c 
+	.rule_to_cs		= nft_rule_to_iptables_command_state,
8cce6c 
 	.clear_cs		= nft_clear_iptables_command_state,
8cce6c 
 	.rule_find		= nft_arp_rule_find,
8cce6c 
 	.parse_target		= nft_ipv46_parse_target,
8cce6c 
--
1dc35b 
2.21.0
8cce6c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation