[iptables PATCH v2 2/7] xtables-restore: Make COMMIT support configurable

Phil Sutter <phil@xxxxxx> · Mon, 6 Aug 2018 17:21:54 +0200

Legacy ebtables-restore does not support COMMIT directive, so allow for
callers of xtables_restore_parse() to toggle whether it is required or
not.

In iptables, omitting COMMIT may be used for syntax checking, so we must
not add an implicit commit at EOF. Although ebtables/arptables legacy
does not support COMMIT lines at all, this patch allows them in nft
variants. If omitted, an implicit commit happens for them at EOF.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Changes since v1:
- Allow COMMIT lines in any case.
---
 iptables/nft-shared.h      |  1 +
 iptables/xtables-restore.c | 11 ++++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 5ef17a088a208..1f5c8a8130c69 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -245,6 +245,7 @@ struct nft_xt_restore_parse {
 	FILE		*in;
 	int		testing;
 	const char	*tablename;
+	bool		commit;
 };
 
 struct nftnl_chain_list;
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 9a014ccd2baec..49fc16ce481dd 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -144,7 +144,7 @@ void xtables_restore_parse(struct nft_handle *h,
 			}
 			in_table = 0;
 
-		} else if ((buffer[0] == '*') && (!in_table)) {
+		} else if ((buffer[0] == '*') && (!in_table || !p->commit)) {
 			/* New table */
 			char *table;
 
@@ -342,10 +342,13 @@ void xtables_restore_parse(struct nft_handle *h,
 			exit(1);
 		}
 	}
-	if (in_table) {
+	if (in_table && p->commit) {
 		fprintf(stderr, "%s: COMMIT expected at line %u\n",
 				xt_params->program_name, line + 1);
 		exit(1);
+	} else if (in_table && cb->commit && !cb->commit(h)) {
+		xtables_error(OTHER_PROBLEM, "%s: final implicit COMMIT failed",
+			      xt_params->program_name);
 	}
 }
 
@@ -358,7 +361,9 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 		.restore = true,
 	};
 	int c;
-	struct nft_xt_restore_parse p = {};
+	struct nft_xt_restore_parse p = {
+		.commit = true,
+	};
 
 	line = 0;
 
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






