[iptables PATCH 21/27] xtables-restore: Make COMMIT support configurable

Phil Sutter <phil@xxxxxx> · Thu, 2 Aug 2018 17:05:28 +0200

Legacy ebtables-restore does not support COMMIT directive, so allow for
callers of xtables_restore_parse() to toggle support for it.

If it is not supported, allow for next table definition without previous
COMMIT and implicitly commit the ruleset after parsing input instead of
complaining about missing final COMMIT statement.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-shared.h      |  1 +
 iptables/xtables-restore.c | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 5ef17a088a208..1f5c8a8130c69 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -245,6 +245,7 @@ struct nft_xt_restore_parse {
 	FILE		*in;
 	int		testing;
 	const char	*tablename;
+	bool		commit;
 };
 
 struct nftnl_chain_list;
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 6a1d1877940fb..bddbc138adae4 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -129,6 +129,10 @@ void xtables_restore_parse(struct nft_handle *h,
 				fputs(buffer, stdout);
 			continue;
 		} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
+			if (!p->commit)
+				xtables_error(PARAMETER_PROBLEM,
+					"%s: COMMIT directive not supported\n",
+					xt_params->program_name);
 			if (!p->testing) {
 				/* Commit per table, although we support
 				 * global commit at once, stick by now to
@@ -144,7 +148,7 @@ void xtables_restore_parse(struct nft_handle *h,
 			}
 			in_table = 0;
 
-		} else if ((buffer[0] == '*') && (!in_table)) {
+		} else if ((buffer[0] == '*') && (!in_table || !p->commit)) {
 			/* New table */
 			char *table;
 
@@ -341,10 +345,13 @@ void xtables_restore_parse(struct nft_handle *h,
 			exit(1);
 		}
 	}
-	if (in_table) {
+	if (in_table && p->commit) {
 		fprintf(stderr, "%s: COMMIT expected at line %u\n",
 				xt_params->program_name, line + 1);
 		exit(1);
+	} else if (in_table && cb->commit && !cb->commit(h)) {
+		xtables_error(OTHER_PROBLEM, "%s: final implicit COMMIT failed",
+			      xt_params->program_name);
 	}
 }
 
@@ -357,7 +364,9 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 		.restore = true,
 	};
 	int c;
-	struct nft_xt_restore_parse p = {};
+	struct nft_xt_restore_parse p = {
+		.commit = true,
+	};
 
 	line = 0;
 
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






