|
|
fc8f74 |
From 51f895d54af6e163e0290520e124e9413438ccf4 Mon Sep 17 00:00:00 2001
|
|
|
fc8f74 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
fc8f74 |
Date: Fri, 21 Feb 2020 14:55:52 +0100
|
|
|
fc8f74 |
Subject: [PATCH] xtables: Review nft_init()
|
|
|
fc8f74 |
|
|
|
fc8f74 |
Move common code into nft_init(), such as:
|
|
|
fc8f74 |
|
|
|
fc8f74 |
* initial zeroing nft_handle fields
|
|
|
fc8f74 |
* family ops lookup and assignment to 'ops' field
|
|
|
fc8f74 |
* setting of 'family' field
|
|
|
fc8f74 |
|
|
|
fc8f74 |
This requires minor adjustments in xtables_restore_main() so extra field
|
|
|
fc8f74 |
initialization doesn't happen before nft_init() call.
|
|
|
fc8f74 |
|
|
|
fc8f74 |
As a side-effect, this fixes segfaulting xtables-monitor binary when
|
|
|
fc8f74 |
printing rules for trace event as in that code-path 'ops' field wasn't
|
|
|
fc8f74 |
initialized.
|
|
|
fc8f74 |
|
|
|
fc8f74 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
fc8f74 |
(cherry picked from commit d0446ab11182f6ca2adc486a124895f09a220c6e)
|
|
|
fc8f74 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
fc8f74 |
---
|
|
|
fc8f74 |
iptables/nft.c | 9 ++++++++-
|
|
|
fc8f74 |
iptables/nft.h | 2 +-
|
|
|
fc8f74 |
iptables/xtables-arp.c | 9 +--------
|
|
|
fc8f74 |
iptables/xtables-eb.c | 9 +--------
|
|
|
fc8f74 |
iptables/xtables-monitor.c | 2 +-
|
|
|
fc8f74 |
iptables/xtables-restore.c | 14 +++++++-------
|
|
|
fc8f74 |
iptables/xtables-save.c | 9 ++-------
|
|
|
fc8f74 |
iptables/xtables-standalone.c | 6 ++----
|
|
|
fc8f74 |
iptables/xtables-translate.c | 2 +-
|
|
|
fc8f74 |
iptables/xtables.c | 4 ----
|
|
|
fc8f74 |
10 files changed, 24 insertions(+), 42 deletions(-)
|
|
|
fc8f74 |
|
|
|
fc8f74 |
diff --git a/iptables/nft.c b/iptables/nft.c
|
|
|
fc8f74 |
index 3f2a62ae12c07..0287add3fb21f 100644
|
|
|
fc8f74 |
--- a/iptables/nft.c
|
|
|
fc8f74 |
+++ b/iptables/nft.c
|
|
|
fc8f74 |
@@ -789,8 +789,10 @@ int nft_restart(struct nft_handle *h)
|
|
|
fc8f74 |
return 0;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
-int nft_init(struct nft_handle *h, const struct builtin_table *t)
|
|
|
fc8f74 |
+int nft_init(struct nft_handle *h, int family, const struct builtin_table *t)
|
|
|
fc8f74 |
{
|
|
|
fc8f74 |
+ memset(h, 0, sizeof(*h));
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
h->nl = mnl_socket_open(NETLINK_NETFILTER);
|
|
|
fc8f74 |
if (h->nl == NULL)
|
|
|
fc8f74 |
return -1;
|
|
|
fc8f74 |
@@ -800,9 +802,14 @@ int nft_init(struct nft_handle *h, const struct builtin_table *t)
|
|
|
fc8f74 |
return -1;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
+ h->ops = nft_family_ops_lookup(family);
|
|
|
fc8f74 |
+ if (!h->ops)
|
|
|
fc8f74 |
+ xtables_error(PARAMETER_PROBLEM, "Unknown family");
|
|
|
fc8f74 |
+
|
|
|
fc8f74 |
h->portid = mnl_socket_get_portid(h->nl);
|
|
|
fc8f74 |
h->tables = t;
|
|
|
fc8f74 |
h->cache = &h->__cache[0];
|
|
|
fc8f74 |
+ h->family = family;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
INIT_LIST_HEAD(&h->obj_list);
|
|
|
fc8f74 |
INIT_LIST_HEAD(&h->err_list);
|
|
|
fc8f74 |
diff --git a/iptables/nft.h b/iptables/nft.h
|
|
|
fc8f74 |
index 51b5660314c0c..5cf260a6d2cd3 100644
|
|
|
fc8f74 |
--- a/iptables/nft.h
|
|
|
fc8f74 |
+++ b/iptables/nft.h
|
|
|
fc8f74 |
@@ -80,7 +80,7 @@ extern const struct builtin_table xtables_bridge[NFT_TABLE_MAX];
|
|
|
fc8f74 |
int mnl_talk(struct nft_handle *h, struct nlmsghdr *nlh,
|
|
|
fc8f74 |
int (*cb)(const struct nlmsghdr *nlh, void *data),
|
|
|
fc8f74 |
void *data);
|
|
|
fc8f74 |
-int nft_init(struct nft_handle *h, const struct builtin_table *t);
|
|
|
fc8f74 |
+int nft_init(struct nft_handle *h, int family, const struct builtin_table *t);
|
|
|
fc8f74 |
void nft_fini(struct nft_handle *h);
|
|
|
fc8f74 |
int nft_restart(struct nft_handle *h);
|
|
|
fc8f74 |
|
|
|
fc8f74 |
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
|
|
|
fc8f74 |
index 9cfad76263d32..c8196f08baa59 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-arp.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-arp.c
|
|
|
fc8f74 |
@@ -500,17 +500,10 @@ int nft_init_arp(struct nft_handle *h, const char *pname)
|
|
|
fc8f74 |
init_extensionsa();
|
|
|
fc8f74 |
#endif
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- memset(h, 0, sizeof(*h));
|
|
|
fc8f74 |
- h->family = NFPROTO_ARP;
|
|
|
fc8f74 |
-
|
|
|
fc8f74 |
- if (nft_init(h, xtables_arp) < 0)
|
|
|
fc8f74 |
+ if (nft_init(h, NFPROTO_ARP, xtables_arp) < 0)
|
|
|
fc8f74 |
xtables_error(OTHER_PROBLEM,
|
|
|
fc8f74 |
"Could not initialize nftables layer.");
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- h->ops = nft_family_ops_lookup(h->family);
|
|
|
fc8f74 |
- if (h->ops == NULL)
|
|
|
fc8f74 |
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
|
|
|
fc8f74 |
-
|
|
|
fc8f74 |
return 0;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
|
|
|
fc8f74 |
index 15b971da3d425..c006bc95ac681 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-eb.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-eb.c
|
|
|
fc8f74 |
@@ -739,16 +739,9 @@ int nft_init_eb(struct nft_handle *h, const char *pname)
|
|
|
fc8f74 |
init_extensionsb();
|
|
|
fc8f74 |
#endif
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- memset(h, 0, sizeof(*h));
|
|
|
fc8f74 |
-
|
|
|
fc8f74 |
- h->family = NFPROTO_BRIDGE;
|
|
|
fc8f74 |
-
|
|
|
fc8f74 |
- if (nft_init(h, xtables_bridge) < 0)
|
|
|
fc8f74 |
+ if (nft_init(h, NFPROTO_BRIDGE, xtables_bridge) < 0)
|
|
|
fc8f74 |
xtables_error(OTHER_PROBLEM,
|
|
|
fc8f74 |
"Could not initialize nftables layer.");
|
|
|
fc8f74 |
- h->ops = nft_family_ops_lookup(h->family);
|
|
|
fc8f74 |
- if (!h->ops)
|
|
|
fc8f74 |
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
|
|
|
fc8f74 |
|
|
|
fc8f74 |
/* manually registering ebt matches, given the original ebtables parser
|
|
|
fc8f74 |
* don't use '-m matchname' and the match can't be loaded dynamically when
|
|
|
fc8f74 |
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
|
|
|
fc8f74 |
index a5245d1422af9..c2b31dbaa0795 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-monitor.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-monitor.c
|
|
|
fc8f74 |
@@ -615,7 +615,7 @@ int xtables_monitor_main(int argc, char *argv[])
|
|
|
fc8f74 |
init_extensions4();
|
|
|
fc8f74 |
#endif
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- if (nft_init(&h, xtables_ipv4)) {
|
|
|
fc8f74 |
+ if (nft_init(&h, AF_INET, xtables_ipv4)) {
|
|
|
fc8f74 |
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
|
|
|
fc8f74 |
xtables_globals.program_name,
|
|
|
fc8f74 |
xtables_globals.program_version,
|
|
|
fc8f74 |
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
|
fc8f74 |
index fb2ac8b5c12a3..11834c0ea98c5 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-restore.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-restore.c
|
|
|
fc8f74 |
@@ -360,15 +360,13 @@ static int
|
|
|
fc8f74 |
xtables_restore_main(int family, const char *progname, int argc, char *argv[])
|
|
|
fc8f74 |
{
|
|
|
fc8f74 |
const struct builtin_table *tables;
|
|
|
fc8f74 |
- struct nft_handle h = {
|
|
|
fc8f74 |
- .family = family,
|
|
|
fc8f74 |
- .restore = true,
|
|
|
fc8f74 |
- };
|
|
|
fc8f74 |
- int c;
|
|
|
fc8f74 |
struct nft_xt_restore_parse p = {
|
|
|
fc8f74 |
.commit = true,
|
|
|
fc8f74 |
.cb = &restore_cb,
|
|
|
fc8f74 |
};
|
|
|
fc8f74 |
+ bool noflush = false;
|
|
|
fc8f74 |
+ struct nft_handle h;
|
|
|
fc8f74 |
+ int c;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
line = 0;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
@@ -402,7 +400,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
|
|
|
fc8f74 |
print_usage(prog_name, PACKAGE_VERSION);
|
|
|
fc8f74 |
exit(0);
|
|
|
fc8f74 |
case 'n':
|
|
|
fc8f74 |
- h.noflush = 1;
|
|
|
fc8f74 |
+ noflush = true;
|
|
|
fc8f74 |
break;
|
|
|
fc8f74 |
case 'M':
|
|
|
fc8f74 |
xtables_modprobe_program = optarg;
|
|
|
fc8f74 |
@@ -464,13 +462,15 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
|
|
|
fc8f74 |
return 1;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- if (nft_init(&h, tables) < 0) {
|
|
|
fc8f74 |
+ if (nft_init(&h, family, tables) < 0) {
|
|
|
fc8f74 |
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
|
|
|
fc8f74 |
xtables_globals.program_name,
|
|
|
fc8f74 |
xtables_globals.program_version,
|
|
|
fc8f74 |
strerror(errno));
|
|
|
fc8f74 |
exit(EXIT_FAILURE);
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
+ h.noflush = noflush;
|
|
|
fc8f74 |
+ h.restore = true;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
xtables_restore_parse(&h, &p);
|
|
|
fc8f74 |
|
|
|
fc8f74 |
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
|
|
|
fc8f74 |
index 3a52f8c3d8209..228282deaed07 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-save.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-save.c
|
|
|
fc8f74 |
@@ -139,10 +139,8 @@ xtables_save_main(int family, int argc, char *argv[],
|
|
|
fc8f74 |
struct do_output_data d = {
|
|
|
fc8f74 |
.format = FMT_NOCOUNTS,
|
|
|
fc8f74 |
};
|
|
|
fc8f74 |
+ struct nft_handle h;
|
|
|
fc8f74 |
bool dump = false;
|
|
|
fc8f74 |
- struct nft_handle h = {
|
|
|
fc8f74 |
- .family = family,
|
|
|
fc8f74 |
- };
|
|
|
fc8f74 |
FILE *file = NULL;
|
|
|
fc8f74 |
int ret, c;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
@@ -242,16 +240,13 @@ xtables_save_main(int family, int argc, char *argv[],
|
|
|
fc8f74 |
return 1;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- if (nft_init(&h, tables) < 0) {
|
|
|
fc8f74 |
+ if (nft_init(&h, family, tables) < 0) {
|
|
|
fc8f74 |
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
|
|
|
fc8f74 |
xtables_globals.program_name,
|
|
|
fc8f74 |
xtables_globals.program_version,
|
|
|
fc8f74 |
strerror(errno));
|
|
|
fc8f74 |
exit(EXIT_FAILURE);
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
- h.ops = nft_family_ops_lookup(h.family);
|
|
|
fc8f74 |
- if (!h.ops)
|
|
|
fc8f74 |
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
|
|
|
fc8f74 |
|
|
|
fc8f74 |
ret = do_output(&h, tablename, &d);
|
|
|
fc8f74 |
nft_fini(&h);
|
|
|
fc8f74 |
diff --git a/iptables/xtables-standalone.c b/iptables/xtables-standalone.c
|
|
|
fc8f74 |
index 1a28c5480629f..022d5dd44abbf 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-standalone.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-standalone.c
|
|
|
fc8f74 |
@@ -44,9 +44,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
|
|
|
fc8f74 |
{
|
|
|
fc8f74 |
int ret;
|
|
|
fc8f74 |
char *table = "filter";
|
|
|
fc8f74 |
- struct nft_handle h = {
|
|
|
fc8f74 |
- .family = family,
|
|
|
fc8f74 |
- };
|
|
|
fc8f74 |
+ struct nft_handle h;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
xtables_globals.program_name = progname;
|
|
|
fc8f74 |
ret = xtables_init_all(&xtables_globals, family);
|
|
|
fc8f74 |
@@ -61,7 +59,7 @@ xtables_main(int family, const char *progname, int argc, char *argv[])
|
|
|
fc8f74 |
init_extensions4();
|
|
|
fc8f74 |
#endif
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- if (nft_init(&h, xtables_ipv4) < 0) {
|
|
|
fc8f74 |
+ if (nft_init(&h, family, xtables_ipv4) < 0) {
|
|
|
fc8f74 |
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
|
|
|
fc8f74 |
xtables_globals.program_name,
|
|
|
fc8f74 |
xtables_globals.program_version,
|
|
|
fc8f74 |
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
|
|
|
fc8f74 |
index 0f95855b41aa4..76ad7eb69eca9 100644
|
|
|
fc8f74 |
--- a/iptables/xtables-translate.c
|
|
|
fc8f74 |
+++ b/iptables/xtables-translate.c
|
|
|
fc8f74 |
@@ -480,7 +480,7 @@ static int xtables_xlate_main_common(struct nft_handle *h,
|
|
|
fc8f74 |
return 1;
|
|
|
fc8f74 |
}
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- if (nft_init(h, tables) < 0) {
|
|
|
fc8f74 |
+ if (nft_init(h, family, tables) < 0) {
|
|
|
fc8f74 |
fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
|
|
|
fc8f74 |
xtables_globals.program_name,
|
|
|
fc8f74 |
xtables_globals.program_version,
|
|
|
fc8f74 |
diff --git a/iptables/xtables.c b/iptables/xtables.c
|
|
|
fc8f74 |
index 8f9dc628d0029..4b24d15c46295 100644
|
|
|
fc8f74 |
--- a/iptables/xtables.c
|
|
|
fc8f74 |
+++ b/iptables/xtables.c
|
|
|
fc8f74 |
@@ -571,10 +571,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
|
|
|
fc8f74 |
demand-load a protocol. */
|
|
|
fc8f74 |
opterr = 0;
|
|
|
fc8f74 |
|
|
|
fc8f74 |
- h->ops = nft_family_ops_lookup(h->family);
|
|
|
fc8f74 |
- if (h->ops == NULL)
|
|
|
fc8f74 |
- xtables_error(PARAMETER_PROBLEM, "Unknown family");
|
|
|
fc8f74 |
-
|
|
|
fc8f74 |
opts = xt_params->orig_opts;
|
|
|
fc8f74 |
while ((cs->c = getopt_long(argc, argv,
|
|
|
fc8f74 |
"-:A:C:D:R:I:L::S::M:F::Z::N:X::E:P:Vh::o:p:s:d:j:i:fbvw::W::nt:m:xc:g:46",
|
|
|
fc8f74 |
--
|
|
|
fc8f74 |
2.26.2
|
|
|
fc8f74 |
|