On 20 November 2014 at 13:20, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Nov 20, 2014 at 01:09:32PM +0100, Arturo Borrero Gonzalez wrote: >> Renaming of chains is not working. and ebtables-compat gets: >> libnftnl: attribute 0 assertion failed in chain.c:159 > > Thanks for catching up this. > >> This patch brings back the parser code of the original ebtables tool: >> http://git.netfilter.org/ebtables.old-history/tree/userspace/ebtables2/ebtables.c#n652 >> >> I adaped the original parser code to fit in the new environment, plus fixing >> style issues. >> In the nft backend, some minor changes are needed to support this operation, >> for example to avoid calling the nf_tables API with NLM_F_EXCL. >> >> I also tried to keep original error messages as much as possible. >> >> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> >> --- >> iptables/nft.c | 12 +++++++++++- >> iptables/xtables-eb-standalone.c | 2 +- >> iptables/xtables-eb.c | 33 +++++++++++++++++++++++++++++++-- >> 3 files changed, 43 insertions(+), 4 deletions(-) >> >> diff --git a/iptables/nft.c b/iptables/nft.c >> index 4ee22c5..7cd56ef 100644 >> --- a/iptables/nft.c >> +++ b/iptables/nft.c >> @@ -253,6 +253,7 @@ enum obj_update_type { >> NFT_COMPAT_CHAIN_USER_ADD, >> NFT_COMPAT_CHAIN_USER_DEL, >> NFT_COMPAT_CHAIN_UPDATE, >> + NFT_COMPAT_CHAIN_RENAME, >> NFT_COMPAT_RULE_APPEND, >> NFT_COMPAT_RULE_INSERT, >> NFT_COMPAT_RULE_REPLACE, >> @@ -1508,10 +1509,15 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, >> uint64_t handle; >> int ret; >> >> + nft_fn = nft_chain_user_add; >> + >> /* If built-in chains don't exist for this table, create them */ >> if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) >> nft_xt_builtin_init(h, table); >> >> + /* Config load changed errno. Ensure genuine info for our callers. */ >> + errno = 0; >> + >> /* Find the old chain to be renamed */ >> c = nft_chain_find(h, table, chain); >> if (c == NULL) { >> @@ -1530,7 +1536,7 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, >> nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_HANDLE, handle); >> >> if (h->batch_support) { >> - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); >> + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_RENAME, c); >> } else { >> char buf[MNL_SOCKET_BUFFER_SIZE]; >> struct nlmsghdr *nlh; >> @@ -2279,6 +2285,10 @@ static int nft_action(struct nft_handle *h, int action) >> NLM_F_CREATE : 0, >> seq++, n->chain); >> break; >> + case NFT_COMPAT_CHAIN_RENAME: >> + nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN, 0, >> + seq++, n->chain); >> + break; >> case NFT_COMPAT_RULE_APPEND: >> nft_compat_rule_batch_add(h, NFT_MSG_NEWRULE, >> NLM_F_CREATE | NLM_F_APPEND, > > Please, send me a separated patch so I can merge this to master. > >> diff --git a/iptables/xtables-eb-standalone.c b/iptables/xtables-eb-standalone.c >> index 1c3cbf0..740a420 100644 >> --- a/iptables/xtables-eb-standalone.c >> +++ b/iptables/xtables-eb-standalone.c >> @@ -84,7 +84,7 @@ int xtables_eb_main(int argc, char *argv[]) >> ret = nft_commit(&h); >> >> if (!ret) >> - fprintf(stderr, "%s\n", nft_strerror(errno)); >> + xtables_error(OTHER_PROBLEM, "%s\n", nft_strerror(errno)); > > IIRC error reporting in ebtables differs from iptables. The output > should look the same. We're currently using nft_strerror() but I guess > we'll need a ebt_strerror() function. > I've tried to collect ebtables original errors. Most of them uses arguments, for example: * Can't delete the chain 'test', it's referenced in chain 'FORWARD', rule 0. * Loop from chain 'test2' to chain 'test'. So, that ebt_strerror() function seems almost useless. I will resend this patch with the changes you requested. I guess we can revisit that issue in the future. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
