[PATCH nft v2] evaluate: force full cache update on rule index translation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If we've done a partial fetch of the cache and the genid is the same the
cache update will be skipped without fetching the rules. This causes the
index to handle lookup to fail. To remedy the situation we flush the
cache and force a full update.

Fixes: 816d8c7659c1 ("Support 'add/insert rule index <IDX>'")
Signed-off-by: Eric Garver <eric@xxxxxxxxxxx>
---
# NFT=/usr/sbin/nft ./run-tests.sh ./testcases/cache/0003_cache_update_0 
I: using nft binary /usr/sbin/nft

W: [FAILED]	./testcases/cache/0003_cache_update_0: got 1
Error: Could not process rule: No such file or directory
add table ip t2; add chain ip t2 c
                              ^^
/dev/stdin:1:18-24: Error: Could not process rule: No such file or directory
add rule ip t4 c index 0 drop
                 ^^^^^^^

I: results: [OK] 0 [FAILED] 1 [TOTAL] 1
---
# ./run-tests.sh ./testcases/cache/0003_cache_update_0 
I: using nft binary ./../../src/nft

I: [OK]		./testcases/cache/0003_cache_update_0
Error: No such file or directory; did you mean table 't' in family ip?
add table ip t2; add chain ip t2 c
                              ^^

I: results: [OK] 1 [FAILED] 0 [TOTAL] 1
---
 src/evaluate.c                                  |  6 +++++-
 tests/shell/testcases/cache/0003_cache_update_0 | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 3593eb80a6a6..a2585291e7c4 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3182,7 +3182,11 @@ static int rule_translate_index(struct eval_ctx *ctx, struct rule *rule)
 	struct rule *r;
 	int ret;
 
-	/* update cache with CMD_LIST so that rules are fetched, too */
+	/* Update cache with CMD_LIST so that rules are fetched, too. The explicit
+	 * release is necessary because the genid may be the same, in which case
+	 * the update would be a no-op.
+	 */
+	cache_release(&ctx->nft->cache);
 	ret = cache_update(ctx->nft, CMD_LIST, ctx->msgs);
 	if (ret < 0)
 		return ret;
diff --git a/tests/shell/testcases/cache/0003_cache_update_0 b/tests/shell/testcases/cache/0003_cache_update_0
index deb45db2c43b..fa9b5df380a4 100755
--- a/tests/shell/testcases/cache/0003_cache_update_0
+++ b/tests/shell/testcases/cache/0003_cache_update_0
@@ -27,3 +27,17 @@ EOF
 $NFT -i >/dev/null <<EOF
 add table ip t3; add chain ip t c
 EOF
+
+# The following test exposes a problem with incremental cache update when
+# reading commands from a file that add a rule using the "index" keyword.
+#
+# add rule ip t4 c meta l4proto icmp accept -> rule to reference in next step
+# add rule ip t4 c index 0 drop -> index 0 is not found due to rule cache not
+#                                  being updated
+$NFT -i >/dev/null <<EOF
+add table ip t4; add chain ip t4 c
+add rule ip t4 c meta l4proto icmp accept
+EOF
+$NFT -f - >/dev/null <<EOF
+add rule ip t4 c index 0 drop
+EOF
-- 
2.20.1




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux