rpms/nftables
5
0
Fork 0
Code Issues Pull Requests Releases Activity
ac5538bc72
nftables/SOURCES/0016-src-pass-struct-nft_ctx-through-struct-eval_ctx.patch
CentOS Sources ac5538bc72 import nftables-0.9.0-14.el8_1.1
2021-09-09 22:49:01 +00:00

442 lines
16 KiB
Diff
Raw Blame History

From 09a890d3653a87e3752a3ebfc3f5de597a679cc5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 22 Oct 2018 12:38:35 +0200
Subject: [PATCH] src: pass struct nft_ctx through struct eval_ctx
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 00f777bfc414af1e1384a213adc91ae4ecf6cbdf)
Conflicts:
src/evaluate.c
-> Missing osf support
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
include/rule.h | 5 +-
src/evaluate.c | 128 ++++++++++++++++++++++-----------------------
src/parser_bison.y | 5 +-
3 files changed, 66 insertions(+), 72 deletions(-)
diff --git a/include/rule.h b/include/rule.h
index 909ff36db80c1..b1d15c8725813 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -556,16 +556,13 @@ extern void cmd_free(struct cmd *cmd);
* @pctx: payload context
*/
struct eval_ctx {
- struct mnl_socket *nf_sock;
+ struct nft_ctx *nft;
struct list_head *msgs;
struct cmd *cmd;
struct table *table;
struct rule *rule;
struct set *set;
struct stmt *stmt;
- struct nft_cache *cache;
- struct output_ctx *octx;
- unsigned int debug_mask;
struct expr_ctx ectx;
struct proto_ctx pctx;
};
diff --git a/src/evaluate.c b/src/evaluate.c
index d18af34341b0d..5e9c6328fc692 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -156,7 +156,7 @@ static struct table *table_lookup_global(struct eval_ctx *ctx)
if (ctx->table != NULL)
return ctx->table;
- table = table_lookup(&ctx->cmd->handle, ctx->cache);
+ table = table_lookup(&ctx->cmd->handle, &ctx->nft->cache);
if (table == NULL)
return NULL;
@@ -184,8 +184,8 @@ static int expr_evaluate_symbol(struct eval_ctx *ctx, struct expr **expr)
}
break;
case SYMBOL_SET:
- ret = cache_update(ctx->nf_sock, ctx->cache, ctx->cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, ctx->cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -1731,13 +1731,13 @@ static int expr_evaluate_variable(struct eval_ctx *ctx, struct expr **exprp)
static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr)
{
- if (ctx->debug_mask & NFT_DEBUG_EVALUATION) {
+ if (ctx->nft->debug_mask & NFT_DEBUG_EVALUATION) {
struct error_record *erec;
erec = erec_create(EREC_INFORMATIONAL, &(*expr)->location,
"Evaluate %s", (*expr)->ops->name);
- erec_print(ctx->octx, erec, ctx->debug_mask);
- expr_print(*expr, ctx->octx);
- nft_print(ctx->octx, "\n\n");
+ erec_print(&ctx->nft->output, erec, ctx->nft->debug_mask);
+ expr_print(*expr, &ctx->nft->output);
+ nft_print(&ctx->nft->output, "\n\n");
erec_destroy(erec);
}
@@ -2717,13 +2717,13 @@ static int stmt_evaluate_objref(struct eval_ctx *ctx, struct stmt *stmt)
int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
{
- if (ctx->debug_mask & NFT_DEBUG_EVALUATION) {
+ if (ctx->nft->debug_mask & NFT_DEBUG_EVALUATION) {
struct error_record *erec;
erec = erec_create(EREC_INFORMATIONAL, &stmt->location,
"Evaluate %s", stmt->ops->name);
- erec_print(ctx->octx, erec, ctx->debug_mask);
- stmt_print(stmt, ctx->octx);
- nft_print(ctx->octx, "\n\n");
+ erec_print(&ctx->nft->output, erec, ctx->nft->debug_mask);
+ stmt_print(stmt, &ctx->nft->output);
+ nft_print(&ctx->nft->output, "\n\n");
erec_destroy(erec);
}
@@ -2895,12 +2895,12 @@ static int rule_translate_index(struct eval_ctx *ctx, struct rule *rule)
int ret;
/* update cache with CMD_LIST so that rules are fetched, too */
- ret = cache_update(ctx->nf_sock, ctx->cache, CMD_LIST,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, CMD_LIST,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
- table = table_lookup(&rule->handle, ctx->cache);
+ table = table_lookup(&rule->handle, &ctx->nft->cache);
if (!table)
return cmd_error(ctx, &rule->handle.table.location,
"Could not process rule: %s",
@@ -2931,7 +2931,7 @@ static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
struct stmt *stmt, *tstmt = NULL;
struct error_record *erec;
- proto_ctx_init(&ctx->pctx, rule->handle.family, ctx->debug_mask);
+ proto_ctx_init(&ctx->pctx, rule->handle.family, ctx->nft->debug_mask);
memset(&ctx->ectx, 0, sizeof(ctx->ectx));
ctx->rule = rule;
@@ -3047,13 +3047,13 @@ static int table_evaluate(struct eval_ctx *ctx, struct table *table)
struct chain *chain;
struct set *set;
- if (table_lookup(&ctx->cmd->handle, ctx->cache) == NULL) {
+ if (table_lookup(&ctx->cmd->handle, &ctx->nft->cache) == NULL) {
if (table == NULL) {
table = table_alloc();
handle_merge(&table->handle, &ctx->cmd->handle);
- table_add_hash(table, ctx->cache);
+ table_add_hash(table, &ctx->nft->cache);
} else {
- table_add_hash(table_get(table), ctx->cache);
+ table_add_hash(table_get(table), &ctx->nft->cache);
}
}
@@ -3088,15 +3088,15 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_SETELEM:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
return setelem_evaluate(ctx, &cmd->expr);
case CMD_OBJ_SET:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3106,8 +3106,8 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
handle_merge(&cmd->rule->handle, &cmd->handle);
return rule_evaluate(ctx, cmd->rule);
case CMD_OBJ_CHAIN:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3115,8 +3115,8 @@ static int cmd_evaluate_add(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_TABLE:
return table_evaluate(ctx, cmd->table);
case CMD_OBJ_FLOWTABLE:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3138,8 +3138,8 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_SETELEM:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3165,14 +3165,14 @@ static int cmd_evaluate_get(struct eval_ctx *ctx, struct cmd *cmd)
struct set *set;
int ret;
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
switch (cmd->obj) {
case CMD_OBJ_SETELEM:
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &ctx->cmd->handle.table.location,
"Could not process rule: %s",
@@ -3197,7 +3197,7 @@ static int cmd_evaluate_list_obj(struct eval_ctx *ctx, const struct cmd *cmd,
if (obj_type == NFT_OBJECT_UNSPEC)
obj_type = NFT_OBJECT_COUNTER;
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3215,8 +3215,8 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
struct set *set;
int ret;
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3225,14 +3225,14 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
if (cmd->handle.table.name == NULL)
return 0;
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
strerror(ENOENT));
return 0;
case CMD_OBJ_SET:
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3244,7 +3244,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
strerror(ENOENT));
return 0;
case CMD_OBJ_METER:
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3256,7 +3256,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
strerror(ENOENT));
return 0;
case CMD_OBJ_MAP:
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3268,7 +3268,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
strerror(ENOENT));
return 0;
case CMD_OBJ_CHAIN:
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3294,7 +3294,7 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_FLOWTABLES:
if (cmd->handle.table.name == NULL)
return 0;
- if (table_lookup(&cmd->handle, ctx->cache) == NULL)
+ if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
strerror(ENOENT));
@@ -3313,8 +3313,8 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
{
int ret;
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3325,7 +3325,7 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_QUOTAS:
if (cmd->handle.table.name == NULL)
return 0;
- if (table_lookup(&cmd->handle, ctx->cache) == NULL)
+ if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
strerror(ENOENT));
@@ -3343,8 +3343,8 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_RULESET:
- cache_flush(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ cache_flush(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
break;
case CMD_OBJ_TABLE:
/* Flushing a table does not empty the sets in the table nor remove
@@ -3354,12 +3354,12 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
/* Chains don't hold sets */
break;
case CMD_OBJ_SET:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &cmd->handle.table.location,
"Could not process rule: %s",
@@ -3371,12 +3371,12 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
strerror(ENOENT));
return 0;
case CMD_OBJ_MAP:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &ctx->cmd->handle.table.location,
"Could not process rule: %s",
@@ -3388,12 +3388,12 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
strerror(ENOENT));
return 0;
case CMD_OBJ_METER:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
- table = table_lookup(&cmd->handle, ctx->cache);
+ table = table_lookup(&cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &ctx->cmd->handle.table.location,
"Could not process rule: %s",
@@ -3417,12 +3417,12 @@ static int cmd_evaluate_rename(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_CHAIN:
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op,
- ctx->msgs, ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op,
+ ctx->msgs, ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
- table = table_lookup(&ctx->cmd->handle, ctx->cache);
+ table = table_lookup(&ctx->cmd->handle, &ctx->nft->cache);
if (table == NULL)
return cmd_error(ctx, &ctx->cmd->handle.table.location,
"Could not process rule: %s",
@@ -3517,8 +3517,8 @@ static int cmd_evaluate_monitor(struct eval_ctx *ctx, struct cmd *cmd)
uint32_t event;
int ret;
- ret = cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ ret = cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
if (ret < 0)
return ret;
@@ -3543,8 +3543,8 @@ static int cmd_evaluate_export(struct eval_ctx *ctx, struct cmd *cmd)
return cmd_error(ctx, &cmd->location,
"this output type is not supported");
- return cache_update(ctx->nf_sock, ctx->cache, cmd->op, ctx->msgs,
- ctx->debug_mask, ctx->octx);
+ return cache_update(ctx->nft->nf_sock, &ctx->nft->cache, cmd->op, ctx->msgs,
+ ctx->nft->debug_mask, &ctx->nft->output);
}
static int cmd_evaluate_import(struct eval_ctx *ctx, struct cmd *cmd)
@@ -3582,13 +3582,13 @@ static const char *cmd_op_to_name(enum cmd_ops op)
int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
{
- if (ctx->debug_mask & NFT_DEBUG_EVALUATION) {
+ if (ctx->nft->debug_mask & NFT_DEBUG_EVALUATION) {
struct error_record *erec;
erec = erec_create(EREC_INFORMATIONAL, &cmd->location,
"Evaluate %s", cmd_op_to_name(cmd->op));
- erec_print(ctx->octx, erec, ctx->debug_mask);
- nft_print(ctx->octx, "\n\n");
+ erec_print(&ctx->nft->output, erec, ctx->nft->debug_mask);
+ nft_print(&ctx->nft->output, "\n\n");
erec_destroy(erec);
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 33915ed8702a6..d75cd50fa29b9 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -44,11 +44,8 @@ void parser_init(struct nft_ctx *nft, struct parser_state *state,
state->msgs = msgs;
state->cmds = cmds;
state->scopes[0] = scope_init(&state->top_scope, NULL);
- state->ectx.cache = &nft->cache;
+ state->ectx.nft = nft;
state->ectx.msgs = msgs;
- state->ectx.nf_sock = nft->nf_sock;
- state->ectx.debug_mask = nft->debug_mask;
- state->ectx.octx = &nft->output;
}
static void yyerror(struct location *loc, struct nft_ctx *nft, void *scanner,
--
2.21.0
Reference in New Issue View Git Blame Copy Permalink