This is only needed by 3.16, which was released 8 months after nftables was merged upstream. That kernel version supports a reduced featureset. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- include/netlink.h | 18 +-- src/netlink.c | 331 ++++-------------------------------------------------- src/rule.c | 24 ++-- 3 files changed, 45 insertions(+), 328 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 66686e5a3313..2c4250e7231b 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -125,22 +125,22 @@ extern int netlink_replace_rule_batch(struct netlink_ctx *ctx, const struct rule *rule, const struct location *loc); -extern int netlink_add_chain(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_add_chain_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, const struct chain *chain, uint32_t flags); -extern int netlink_rename_chain(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_rename_chain_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, const char *name); -extern int netlink_delete_chain(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_delete_chain_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_list_chains(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_flush_chain(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); -extern int netlink_add_table(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_add_table_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, const struct table *table, uint32_t flags); -extern int netlink_delete_table(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_delete_table_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_list_tables(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); @@ -149,9 +149,9 @@ extern int netlink_list_table(struct netlink_ctx *ctx, const struct handle *h, extern int netlink_flush_table(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); -extern int netlink_add_set(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_add_set_batch(struct netlink_ctx *ctx, const struct handle *h, struct set *set, uint32_t flags); -extern int netlink_delete_set(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_delete_set_batch(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc); @@ -160,9 +160,9 @@ extern struct stmt *netlink_parse_set_expr(const struct set *set, const struct nft_cache *cache, const struct nftnl_expr *nle); -extern int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_add_setelems_batch(struct netlink_ctx *ctx, const struct handle *h, const struct expr *expr, uint32_t flags); -extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle *h, +extern int netlink_delete_setelems_batch(struct netlink_ctx *ctx, const struct handle *h, const struct expr *expr); extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc, struct set *set); diff --git a/src/netlink.c b/src/netlink.c index 06b1f57ae194..2ff3ce5e7a57 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -589,43 +589,9 @@ void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx) fprintf(fp, "\n"); } -static int netlink_add_chain_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const struct chain *chain, uint32_t flags) -{ - struct nftnl_chain *nlc; - int err; - - nlc = alloc_nftnl_chain(h); - if (chain != NULL) { - if (chain->flags & CHAIN_F_BASECHAIN) { - nftnl_chain_set_u32(nlc, NFTNL_CHAIN_HOOKNUM, - chain->hooknum); - nftnl_chain_set_s32(nlc, NFTNL_CHAIN_PRIO, - chain->priority); - nftnl_chain_set_str(nlc, NFTNL_CHAIN_TYPE, - chain->type); - } - if (chain->policy != -1) - nftnl_chain_set_u32(nlc, NFTNL_CHAIN_POLICY, - chain->policy); - } - - netlink_dump_chain(nlc, ctx); - err = mnl_nft_chain_add(ctx, nlc, flags); - nftnl_chain_free(nlc); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not add chain: %s", - strerror(errno)); - return err; -} - -static int netlink_add_chain_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const struct chain *chain, uint32_t flags) +int netlink_add_chain_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc, + const struct chain *chain, uint32_t flags) { struct nftnl_chain *nlc; int err; @@ -658,40 +624,10 @@ static int netlink_add_chain_batch(struct netlink_ctx *ctx, return err; } -int netlink_add_chain(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc, const struct chain *chain, - uint32_t flags) -{ - if (ctx->batch_supported) - return netlink_add_chain_batch(ctx, h, loc, chain, flags); - else - return netlink_add_chain_compat(ctx, h, loc, chain, flags); -} - -static int netlink_rename_chain_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const char *name) -{ - struct nftnl_chain *nlc; - int err; - - nlc = alloc_nftnl_chain(h); - nftnl_chain_set_str(nlc, NFTNL_CHAIN_NAME, name); - netlink_dump_chain(nlc, ctx); - err = mnl_nft_chain_add(ctx, nlc, 0); - nftnl_chain_free(nlc); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not rename chain: %s", - strerror(errno)); - return err; -} - -static int netlink_rename_chain_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const char *name) +int netlink_rename_chain_batch(struct netlink_ctx *ctx, + const struct handle *h, + const struct location *loc, + const char *name) { struct nftnl_chain *nlc; int err; @@ -708,36 +644,8 @@ static int netlink_rename_chain_batch(struct netlink_ctx *ctx, return err; } -int netlink_rename_chain(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc, const char *name) -{ - if (ctx->batch_supported) - return netlink_rename_chain_batch(ctx, h, loc, name); - else - return netlink_rename_chain_compat(ctx, h, loc, name); -} - -static int netlink_del_chain_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) -{ - struct nftnl_chain *nlc; - int err; - - nlc = alloc_nftnl_chain(h); - netlink_dump_chain(nlc, ctx); - err = mnl_nft_chain_delete(ctx, nlc, 0); - nftnl_chain_free(nlc); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not delete chain: %s", - strerror(errno)); - return err; -} - -static int netlink_del_chain_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) +int netlink_delete_chain_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc) { struct nftnl_chain *nlc; int err; @@ -753,15 +661,6 @@ static int netlink_del_chain_batch(struct netlink_ctx *ctx, return err; } -int netlink_delete_chain(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc) -{ - if (ctx->batch_supported) - return netlink_del_chain_batch(ctx, h, loc); - else - return netlink_del_chain_compat(ctx, h, loc); -} - static struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx, const struct nftnl_chain *nlc) { @@ -863,28 +762,9 @@ int netlink_flush_chain(struct netlink_ctx *ctx, const struct handle *h, return netlink_del_rule_batch(ctx, h, loc); } -static int netlink_add_table_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const struct table *table, uint32_t flags) -{ - struct nftnl_table *nlt; - int err; - - nlt = alloc_nftnl_table(h); - err = mnl_nft_table_add(ctx, nlt, flags); - nftnl_table_free(nlt); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not add table: %s", - strerror(errno)); - return err; -} - -static int netlink_add_table_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc, - const struct table *table, uint32_t flags) +int netlink_add_table_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc, + const struct table *table, uint32_t flags) { struct nftnl_table *nlt; int err; @@ -904,36 +784,8 @@ static int netlink_add_table_batch(struct netlink_ctx *ctx, return err; } -int netlink_add_table(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc, - const struct table *table, uint32_t flags) -{ - if (ctx->batch_supported) - return netlink_add_table_batch(ctx, h, loc, table, flags); - else - return netlink_add_table_compat(ctx, h, loc, table, flags); -} - -static int netlink_del_table_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) -{ - struct nftnl_table *nlt; - int err; - - nlt = alloc_nftnl_table(h); - err = mnl_nft_table_delete(ctx, nlt, 0); - nftnl_table_free(nlt); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not delete table: %s", - strerror(errno)); - return err; -} - -static int netlink_del_table_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) +int netlink_delete_table_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc) { struct nftnl_table *nlt; int err; @@ -948,15 +800,6 @@ static int netlink_del_table_batch(struct netlink_ctx *ctx, return err; } -int netlink_delete_table(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc) -{ - if (ctx->batch_supported) - return netlink_del_table_batch(ctx, h, loc); - else - return netlink_del_table_compat(ctx, h, loc); -} - static struct table *netlink_delinearize_table(struct netlink_ctx *ctx, const struct nftnl_table *nlt) { @@ -1160,41 +1003,9 @@ static struct set *netlink_delinearize_set(struct netlink_ctx *ctx, return set; } -static int netlink_add_set_compat(struct netlink_ctx *ctx, - const struct handle *h, struct set *set, - uint32_t flags) -{ - struct nftnl_set *nls; - int err; - - nls = alloc_nftnl_set(h); - nftnl_set_set_u32(nls, NFTNL_SET_FLAGS, set->flags); - nftnl_set_set_u32(nls, NFTNL_SET_KEY_TYPE, - dtype_map_to_kernel(set->key->dtype)); - nftnl_set_set_u32(nls, NFTNL_SET_KEY_LEN, - div_round_up(set->key->len, BITS_PER_BYTE)); - if (set->flags & NFT_SET_MAP) { - nftnl_set_set_u32(nls, NFTNL_SET_DATA_TYPE, - dtype_map_to_kernel(set->datatype)); - nftnl_set_set_u32(nls, NFTNL_SET_DATA_LEN, - set->datalen / BITS_PER_BYTE); - } - netlink_dump_set(nls, ctx); - - err = mnl_nft_set_add(ctx, nls, NLM_F_ECHO | flags); - if (err < 0) - netlink_io_error(ctx, &set->location, "Could not add set: %s", - strerror(errno)); - - set->handle.set = xstrdup(nftnl_set_get_str(nls, NFTNL_SET_NAME)); - nftnl_set_free(nls); - - return err; -} - -static int netlink_add_set_batch(struct netlink_ctx *ctx, - const struct handle *h, struct set *set, - uint32_t flags) +int netlink_add_set_batch(struct netlink_ctx *ctx, + const struct handle *h, struct set *set, + uint32_t flags) { struct nftnl_udata_buf *udbuf; struct nftnl_set *nls; @@ -1265,35 +1076,8 @@ static int netlink_add_set_batch(struct netlink_ctx *ctx, return err; } -int netlink_add_set(struct netlink_ctx *ctx, const struct handle *h, - struct set *set, uint32_t flags) -{ - if (ctx->batch_supported) - return netlink_add_set_batch(ctx, h, set, flags); - else - return netlink_add_set_compat(ctx, h, set, flags); -} - -static int netlink_del_set_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) -{ - struct nftnl_set *nls; - int err; - - nls = alloc_nftnl_set(h); - err = mnl_nft_set_delete(ctx, nls, 0); - nftnl_set_free(nls); - - if (err < 0) - netlink_io_error(ctx, loc, "Could not delete set: %s", - strerror(errno)); - return err; -} - -static int netlink_del_set_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct location *loc) +int netlink_delete_set_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct location *loc) { struct nftnl_set *nls; int err; @@ -1308,15 +1092,6 @@ static int netlink_del_set_batch(struct netlink_ctx *ctx, return err; } -int netlink_delete_set(struct netlink_ctx *ctx, const struct handle *h, - const struct location *loc) -{ - if (ctx->batch_supported) - return netlink_del_set_batch(ctx, h, loc); - else - return netlink_del_set_compat(ctx, h, loc); -} - static int list_set_cb(struct nftnl_set *nls, void *arg) { struct netlink_ctx *ctx = arg; @@ -1359,9 +1134,8 @@ static void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls) } } -static int netlink_add_setelems_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct expr *expr, uint32_t flags) +int netlink_add_setelems_batch(struct netlink_ctx *ctx, const struct handle *h, + const struct expr *expr, uint32_t flags) { struct nftnl_set *nls; int err; @@ -1379,38 +1153,8 @@ static int netlink_add_setelems_batch(struct netlink_ctx *ctx, return err; } -static int netlink_add_setelems_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct expr *expr, uint32_t flags) -{ - struct nftnl_set *nls; - int err; - - nls = alloc_nftnl_set(h); - alloc_setelem_cache(expr, nls); - netlink_dump_set(nls, ctx); - - err = mnl_nft_setelem_add(ctx, nls, flags); - nftnl_set_free(nls); - if (err < 0) - netlink_io_error(ctx, &expr->location, - "Could not add set elements: %s", - strerror(errno)); - return err; -} - -int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle *h, - const struct expr *expr, uint32_t flags) -{ - if (ctx->batch_supported) - return netlink_add_setelems_batch(ctx, h, expr, flags); - else - return netlink_add_setelems_compat(ctx, h, expr, flags); -} - -static int netlink_del_setelems_batch(struct netlink_ctx *ctx, - const struct handle *h, - const struct expr *expr) +int netlink_delete_setelems_batch(struct netlink_ctx *ctx, + const struct handle *h, const struct expr *expr) { struct nftnl_set *nls; int err; @@ -1429,26 +1173,6 @@ static int netlink_del_setelems_batch(struct netlink_ctx *ctx, return err; } -static int netlink_del_setelems_compat(struct netlink_ctx *ctx, - const struct handle *h, - const struct expr *expr) -{ - struct nftnl_set *nls; - int err; - - nls = alloc_nftnl_set(h); - alloc_setelem_cache(expr, nls); - netlink_dump_set(nls, ctx); - - err = mnl_nft_setelem_delete(ctx, nls, 0); - nftnl_set_free(nls); - if (err < 0) - netlink_io_error(ctx, &expr->location, - "Could not delete set elements: %s", - strerror(errno)); - return err; -} - int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc) { @@ -1622,15 +1346,6 @@ out: return 0; } -int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle *h, - const struct expr *expr) -{ - if (ctx->batch_supported) - return netlink_del_setelems_batch(ctx, h, expr); - else - return netlink_del_setelems_compat(ctx, h, expr); -} - static int list_setelem_cb(struct nftnl_set_elem *nlse, void *arg) { struct netlink_ctx *ctx = arg; diff --git a/src/rule.c b/src/rule.c index a53908f670c1..c0b42b1c186b 100644 --- a/src/rule.c +++ b/src/rule.c @@ -999,7 +999,7 @@ static int __do_add_setelems(struct netlink_ctx *ctx, const struct handle *h, struct set *set, struct expr *expr, uint32_t flags) { expr->set_flags |= set->flags; - if (netlink_add_setelems(ctx, h, expr, flags) < 0) + if (netlink_add_setelems_batch(ctx, h, expr, flags) < 0) return -1; return 0; @@ -1031,7 +1031,7 @@ static int do_add_set(struct netlink_ctx *ctx, const struct handle *h, ctx->debug_mask, set->automerge) < 0) return -1; } - if (netlink_add_set(ctx, h, set, flags) < 0) + if (netlink_add_set_batch(ctx, h, set, flags) < 0) return -1; if (set->init != NULL) { return __do_add_setelems(ctx, &set->handle, set, set->init, @@ -1057,11 +1057,13 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl) switch (cmd->obj) { case CMD_OBJ_TABLE: - return netlink_add_table(ctx, &cmd->handle, &cmd->location, - cmd->table, flags); + return netlink_add_table_batch(ctx, &cmd->handle, + &cmd->location, cmd->table, + flags); case CMD_OBJ_CHAIN: - return netlink_add_chain(ctx, &cmd->handle, &cmd->location, - cmd->chain, flags); + return netlink_add_chain_batch(ctx, &cmd->handle, + &cmd->location, cmd->chain, + flags); case CMD_OBJ_RULE: return netlink_add_rule_batch(ctx, &cmd->handle, cmd->rule, flags | NLM_F_APPEND); @@ -1131,7 +1133,7 @@ static int do_delete_setelems(struct netlink_ctx *ctx, const struct handle *h, ctx->debug_mask, set->automerge) < 0) return -1; - if (netlink_delete_setelems(ctx, h, expr) < 0) + if (netlink_delete_setelems_batch(ctx, h, expr) < 0) return -1; return 0; @@ -1141,14 +1143,14 @@ static int do_command_delete(struct netlink_ctx *ctx, struct cmd *cmd) { switch (cmd->obj) { case CMD_OBJ_TABLE: - return netlink_delete_table(ctx, &cmd->handle, &cmd->location); + return netlink_delete_table_batch(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_CHAIN: - return netlink_delete_chain(ctx, &cmd->handle, &cmd->location); + return netlink_delete_chain_batch(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_RULE: return netlink_del_rule_batch(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_SET: - return netlink_delete_set(ctx, &cmd->handle, &cmd->location); + return netlink_delete_set_batch(ctx, &cmd->handle, &cmd->location); case CMD_OBJ_SETELEM: return do_delete_setelems(ctx, &cmd->handle, cmd->expr); case CMD_OBJ_COUNTER: @@ -1714,7 +1716,7 @@ static int do_command_rename(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_CHAIN: chain = chain_lookup(table, &cmd->handle); - return netlink_rename_chain(ctx, &chain->handle, &cmd->location, + return netlink_rename_chain_batch(ctx, &chain->handle, &cmd->location, cmd->arg); default: BUG("invalid command object type %u\n", cmd->obj); -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html