|
 |
f1d1c0 |
From 5fac849eac7ecfde4ca6f9c9c406ace030f358f2 Mon Sep 17 00:00:00 2001
|
|
|
f1d1c0 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
f1d1c0 |
Date: Fri, 10 Jan 2020 19:54:16 +0100
|
|
|
f1d1c0 |
Subject: [PATCH] main: enforce options before commands
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1778883
|
|
|
f1d1c0 |
Upstream Status: nftables commit fb9cea50e8b37
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
commit fb9cea50e8b370b6931e7b53b1a881d3b95b1c91
|
|
|
f1d1c0 |
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
f1d1c0 |
Date: Fri Dec 13 11:32:46 2019 +0100
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
main: enforce options before commands
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
This patch turns on POSIXLY_CORRECT on the getopt parser to enforce
|
|
|
f1d1c0 |
options before commands. Users get a hint in such a case:
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
# nft list ruleset -a
|
|
|
f1d1c0 |
Error: syntax error, options must be specified before commands
|
|
|
f1d1c0 |
nft list ruleset -a
|
|
|
f1d1c0 |
^ ~~
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
This patch recovers 9fc71bc6b602 ("main: Fix for misleading error with
|
|
|
f1d1c0 |
negative chain priority").
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
Tests have been updated.
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
f1d1c0 |
---
|
|
|
bfbb76 |
src/main.c | 46 ++++++++++++++++++-
|
|
|
bfbb76 |
.../testcases/cache/0001_cache_handling_0 | 2 +-
|
|
|
bfbb76 |
.../testcases/chains/0016delete_handle_0 | 4 +-
|
|
|
bfbb76 |
.../testcases/chains/0039negative_priority_0 | 8 ++++
|
|
|
bfbb76 |
.../testcases/flowtable/0010delete_handle_0 | 2 +-
|
|
|
bfbb76 |
.../testcases/maps/0008interval_map_delete_0 | 2 +-
|
|
|
bfbb76 |
tests/shell/testcases/optionals/comments_0 | 2 +-
|
|
|
bfbb76 |
.../testcases/optionals/comments_handles_0 | 2 +-
|
|
|
bfbb76 |
.../optionals/delete_object_handles_0 | 4 +-
|
|
|
bfbb76 |
tests/shell/testcases/optionals/handles_0 | 2 +-
|
|
|
bfbb76 |
.../shell/testcases/sets/0028delete_handle_0 | 2 +-
|
|
|
f1d1c0 |
11 files changed, 64 insertions(+), 12 deletions(-)
|
|
|
f1d1c0 |
create mode 100755 tests/shell/testcases/chains/0039negative_priority_0
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
diff --git a/src/main.c b/src/main.c
|
|
|
f1d1c0 |
index fde8b15..74199f9 100644
|
|
|
f1d1c0 |
--- a/src/main.c
|
|
|
f1d1c0 |
+++ b/src/main.c
|
|
|
f1d1c0 |
@@ -46,7 +46,7 @@ enum opt_vals {
|
|
|
f1d1c0 |
OPT_TERSE = 't',
|
|
|
f1d1c0 |
OPT_INVALID = '?',
|
|
|
f1d1c0 |
};
|
|
|
f1d1c0 |
-#define OPTSTRING "hvcf:iI:jvnsNaeSupypTt"
|
|
|
f1d1c0 |
+#define OPTSTRING "+hvcf:iI:jvnsNaeSupypTt"
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
static const struct option options[] = {
|
|
|
f1d1c0 |
{
|
|
|
f1d1c0 |
@@ -202,6 +202,47 @@ static const struct {
|
|
|
f1d1c0 |
},
|
|
|
f1d1c0 |
};
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
+static void nft_options_error(int argc, char * const argv[], int pos)
|
|
|
f1d1c0 |
+{
|
|
|
f1d1c0 |
+ int i;
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+ fprintf(stderr, "Error: syntax error, options must be specified before commands\n");
|
|
|
f1d1c0 |
+ for (i = 0; i < argc; i++)
|
|
|
f1d1c0 |
+ fprintf(stderr, "%s ", argv[i]);
|
|
|
f1d1c0 |
+ printf("\n%4c%*s\n", '^', pos - 2, "~~");
|
|
|
f1d1c0 |
+}
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+static bool nft_options_check(int argc, char * const argv[])
|
|
|
f1d1c0 |
+{
|
|
|
f1d1c0 |
+ bool skip = false, nonoption = false;
|
|
|
f1d1c0 |
+ int pos = 0, i;
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+ for (i = 1; i < argc; i++) {
|
|
|
f1d1c0 |
+ pos += strlen(argv[i - 1]) + 1;
|
|
|
f1d1c0 |
+ if (argv[i][0] == '{') {
|
|
|
f1d1c0 |
+ break;
|
|
|
f1d1c0 |
+ } else if (skip) {
|
|
|
f1d1c0 |
+ skip = false;
|
|
|
f1d1c0 |
+ continue;
|
|
|
f1d1c0 |
+ } else if (argv[i][0] == '-') {
|
|
|
f1d1c0 |
+ if (nonoption) {
|
|
|
f1d1c0 |
+ nft_options_error(argc, argv, pos);
|
|
|
f1d1c0 |
+ return false;
|
|
|
f1d1c0 |
+ } else if (argv[i][1] == 'I' ||
|
|
|
f1d1c0 |
+ argv[i][1] == 'f' ||
|
|
|
f1d1c0 |
+ !strcmp(argv[i], "--includepath") ||
|
|
|
f1d1c0 |
+ !strcmp(argv[i], "--file")) {
|
|
|
f1d1c0 |
+ skip = true;
|
|
|
f1d1c0 |
+ continue;
|
|
|
f1d1c0 |
+ }
|
|
|
f1d1c0 |
+ } else if (argv[i][0] != '-') {
|
|
|
f1d1c0 |
+ nonoption = true;
|
|
|
f1d1c0 |
+ }
|
|
|
f1d1c0 |
+ }
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+ return true;
|
|
|
f1d1c0 |
+}
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
int main(int argc, char * const *argv)
|
|
|
f1d1c0 |
{
|
|
|
f1d1c0 |
char *buf = NULL, *filename = NULL;
|
|
|
f1d1c0 |
@@ -211,6 +252,9 @@ int main(int argc, char * const *argv)
|
|
|
f1d1c0 |
unsigned int len;
|
|
|
f1d1c0 |
int i, val, rc;
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
+ if (!nft_options_check(argc, argv))
|
|
|
f1d1c0 |
+ exit(EXIT_FAILURE);
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
nft = nft_ctx_new(NFT_CTX_DEFAULT);
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
while (1) {
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/cache/0001_cache_handling_0 b/tests/shell/testcases/cache/0001_cache_handling_0
|
|
|
f1d1c0 |
index 431aada..0a68440 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/cache/0001_cache_handling_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/cache/0001_cache_handling_0
|
|
|
f1d1c0 |
@@ -20,7 +20,7 @@ TMP=$(mktemp)
|
|
|
f1d1c0 |
echo "$RULESET" >> "$TMP"
|
|
|
f1d1c0 |
$NFT "flush ruleset;include \"$TMP\""
|
|
|
f1d1c0 |
rm -f "$TMP"
|
|
|
f1d1c0 |
-rule_handle=$($NFT list ruleset -a | awk '/saddr/{print $NF}')
|
|
|
f1d1c0 |
+rule_handle=$($NFT -a list ruleset | awk '/saddr/{print $NF}')
|
|
|
f1d1c0 |
$NFT delete rule inet test test handle $rule_handle
|
|
|
f1d1c0 |
$NFT delete set inet test test
|
|
|
f1d1c0 |
$NFT -f - <<< "$RULESET"
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/chains/0016delete_handle_0 b/tests/shell/testcases/chains/0016delete_handle_0
|
|
|
f1d1c0 |
index 4633d77..8fd1ad8 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/chains/0016delete_handle_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/chains/0016delete_handle_0
|
|
|
f1d1c0 |
@@ -10,8 +10,8 @@ $NFT add chain ip6 test-ip6 x
|
|
|
f1d1c0 |
$NFT add chain ip6 test-ip6 y
|
|
|
f1d1c0 |
$NFT add chain ip6 test-ip6 z
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
-chain_y_handle=$($NFT list ruleset -a | awk -v n=1 '/chain y/ && !--n {print $NF; exit}');
|
|
|
f1d1c0 |
-chain_z_handle=$($NFT list ruleset -a | awk -v n=2 '/chain z/ && !--n {print $NF; exit}');
|
|
|
f1d1c0 |
+chain_y_handle=$($NFT -a list ruleset | awk -v n=1 '/chain y/ && !--n {print $NF; exit}');
|
|
|
f1d1c0 |
+chain_z_handle=$($NFT -a list ruleset | awk -v n=2 '/chain z/ && !--n {print $NF; exit}');
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
$NFT delete chain test-ip handle $chain_y_handle
|
|
|
f1d1c0 |
$NFT delete chain ip6 test-ip6 handle $chain_z_handle
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/chains/0039negative_priority_0 b/tests/shell/testcases/chains/0039negative_priority_0
|
|
|
f1d1c0 |
new file mode 100755
|
|
|
f1d1c0 |
index 0000000..ba17b8c
|
|
|
f1d1c0 |
--- /dev/null
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/chains/0039negative_priority_0
|
|
|
f1d1c0 |
@@ -0,0 +1,8 @@
|
|
|
f1d1c0 |
+#!/bin/bash
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+# Test parsing of negative priority values
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+set -e
|
|
|
f1d1c0 |
+
|
|
|
f1d1c0 |
+$NFT add table t
|
|
|
f1d1c0 |
+$NFT add chain t c { type filter hook input priority -30\; }
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/flowtable/0010delete_handle_0 b/tests/shell/testcases/flowtable/0010delete_handle_0
|
|
|
f1d1c0 |
index 303967d..985d4a3 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/flowtable/0010delete_handle_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/flowtable/0010delete_handle_0
|
|
|
f1d1c0 |
@@ -7,7 +7,7 @@ set -e
|
|
|
f1d1c0 |
$NFT add table inet t
|
|
|
f1d1c0 |
$NFT add flowtable inet t f { hook ingress priority filter\; devices = { lo }\; }
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
-FH=$($NFT list ruleset -a | awk '/flowtable f/ { print $NF }')
|
|
|
f1d1c0 |
+FH=$($NFT -a list ruleset | awk '/flowtable f/ { print $NF }')
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
$NFT delete flowtable inet t handle $FH
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/maps/0008interval_map_delete_0 b/tests/shell/testcases/maps/0008interval_map_delete_0
|
|
|
f1d1c0 |
index a43fd28..7da6eb3 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/maps/0008interval_map_delete_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/maps/0008interval_map_delete_0
|
|
|
f1d1c0 |
@@ -24,7 +24,7 @@ $NFT delete element filter m { 127.0.0.3 }
|
|
|
f1d1c0 |
$NFT add element filter m { 127.0.0.3 : 0x3 }
|
|
|
f1d1c0 |
$NFT add element filter m { 127.0.0.2 : 0x2 }
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
-GET=$($NFT list ruleset -s)
|
|
|
f1d1c0 |
+GET=$($NFT -s list ruleset)
|
|
|
f1d1c0 |
if [ "$EXPECTED" != "$GET" ] ; then
|
|
|
f1d1c0 |
DIFF="$(which diff)"
|
|
|
f1d1c0 |
[ -x $DIFF ] && $DIFF -u <(echo "$EXPECTED") <(echo "$GET")
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/optionals/comments_0 b/tests/shell/testcases/optionals/comments_0
|
|
|
f1d1c0 |
index 29b8506..ab85936 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/optionals/comments_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/optionals/comments_0
|
|
|
f1d1c0 |
@@ -5,4 +5,4 @@
|
|
|
f1d1c0 |
$NFT add table test
|
|
|
f1d1c0 |
$NFT add chain test test
|
|
|
f1d1c0 |
$NFT add rule test test tcp dport 22 counter accept comment test_comment
|
|
|
f1d1c0 |
-$NFT list table test -a | grep 'accept comment \"test_comment\"' >/dev/null
|
|
|
f1d1c0 |
+$NFT -a list table test | grep 'accept comment \"test_comment\"' >/dev/null
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/optionals/comments_handles_0 b/tests/shell/testcases/optionals/comments_handles_0
|
|
|
f1d1c0 |
index 30539bf..a01df1d 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/optionals/comments_handles_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/optionals/comments_handles_0
|
|
|
f1d1c0 |
@@ -6,5 +6,5 @@ $NFT add table test
|
|
|
f1d1c0 |
$NFT add chain test test
|
|
|
f1d1c0 |
$NFT add rule test test tcp dport 22 counter accept comment test_comment
|
|
|
f1d1c0 |
set -e
|
|
|
f1d1c0 |
-$NFT list table test -a | grep 'accept comment \"test_comment\" # handle '[[:digit:]]$ >/dev/null
|
|
|
f1d1c0 |
+$NFT -a list table test | grep 'accept comment \"test_comment\" # handle '[[:digit:]]$ >/dev/null
|
|
|
f1d1c0 |
$NFT list table test | grep 'accept comment \"test_comment\"' | grep -v '# handle '[[:digit:]]$ >/dev/null
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/optionals/delete_object_handles_0 b/tests/shell/testcases/optionals/delete_object_handles_0
|
|
|
f1d1c0 |
index d5d9654..a2ae422 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/optionals/delete_object_handles_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/optionals/delete_object_handles_0
|
|
|
f1d1c0 |
@@ -10,8 +10,8 @@ $NFT add quota ip6 test-ip6 http-quota over 25 mbytes
|
|
|
f1d1c0 |
$NFT add counter ip6 test-ip6 http-traffic
|
|
|
f1d1c0 |
$NFT add quota ip6 test-ip6 ssh-quota 10 mbytes
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
-counter_handle=$($NFT list ruleset -a | awk '/https-traffic/{print $NF}')
|
|
|
f1d1c0 |
-quota_handle=$($NFT list ruleset -a | awk '/ssh-quota/{print $NF}')
|
|
|
f1d1c0 |
+counter_handle=$($NFT -a list ruleset | awk '/https-traffic/{print $NF}')
|
|
|
f1d1c0 |
+quota_handle=$($NFT -a list ruleset | awk '/ssh-quota/{print $NF}')
|
|
|
f1d1c0 |
$NFT delete counter test-ip handle $counter_handle
|
|
|
f1d1c0 |
$NFT delete quota ip6 test-ip6 handle $quota_handle
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/optionals/handles_0 b/tests/shell/testcases/optionals/handles_0
|
|
|
f1d1c0 |
index 7c6a437..80f3c5b 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/optionals/handles_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/optionals/handles_0
|
|
|
f1d1c0 |
@@ -5,4 +5,4 @@
|
|
|
f1d1c0 |
$NFT add table test
|
|
|
f1d1c0 |
$NFT add chain test test
|
|
|
f1d1c0 |
$NFT add rule test test tcp dport 22 counter accept
|
|
|
f1d1c0 |
-$NFT list table test -a | grep 'accept # handle '[[:digit:]]$ >/dev/null
|
|
|
f1d1c0 |
+$NFT -a list table test | grep 'accept # handle '[[:digit:]]$ >/dev/null
|
|
|
f1d1c0 |
diff --git a/tests/shell/testcases/sets/0028delete_handle_0 b/tests/shell/testcases/sets/0028delete_handle_0
|
|
|
f1d1c0 |
index 4e8b322..5ad17c2 100755
|
|
|
f1d1c0 |
--- a/tests/shell/testcases/sets/0028delete_handle_0
|
|
|
f1d1c0 |
+++ b/tests/shell/testcases/sets/0028delete_handle_0
|
|
|
f1d1c0 |
@@ -7,7 +7,7 @@ $NFT add set test-ip y { type inet_service \; timeout 3h45s \;}
|
|
|
f1d1c0 |
$NFT add set test-ip z { type ipv4_addr\; flags constant , interval\;}
|
|
|
f1d1c0 |
$NFT add set test-ip c {type ipv4_addr \; flags timeout \; elements={192.168.1.1 timeout 10s, 192.168.1.2 timeout 30s} \;}
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
-set_handle=$($NFT list ruleset -a | awk '/set c/{print $NF}')
|
|
|
f1d1c0 |
+set_handle=$($NFT -a list ruleset | awk '/set c/{print $NF}')
|
|
|
f1d1c0 |
$NFT delete set test-ip handle $set_handle
|
|
|
f1d1c0 |
|
|
|
f1d1c0 |
EXPECTED="table ip test-ip {
|
|
|
f1d1c0 |
--
|
|
|
bfbb76 |
2.31.1
|
|
|
f1d1c0 |
|