[iptables PATCH] nft: move processing logic out of asserts

Phil Sutter <phil@xxxxxx> · Thu, 3 Aug 2023 16:47:53 +0200

From: Jan Palus <atler@xxxxxxxxxxxxx>

[Phil: Introduce assert_nft_restart() to keep things clean, also add
       fallback returns to nft_action() and nft_prepare(), sanitizing
       things at least a bit.]

Signed-off-by: Jan Palus <atler@xxxxxxxxxxxxx>
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-cache.c | 16 ++++++++++++----
 iptables/nft.c       |  7 +++++--
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index fabb577903f28..91d296709b9de 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -26,6 +26,14 @@
 #include "nft-cache.h"
 #include "nft-chain.h"
 
+/* users may define NDEBUG */
+static void assert_nft_restart(struct nft_handle *h)
+{
+	int rc = nft_restart(h);
+
+	assert(rc >= 0);
+}
+
 static void cache_chain_list_insert(struct list_head *list, const char *name)
 {
 	struct cache_chain *pos = NULL, *new;
@@ -147,7 +155,7 @@ static int fetch_table_cache(struct nft_handle *h)
 
 	ret = mnl_talk(h, nlh, nftnl_table_list_cb, h);
 	if (ret < 0 && errno == EINTR)
-		assert(nft_restart(h) >= 0);
+		assert_nft_restart(h);
 
 	for (i = 0; i < NFT_TABLE_MAX; i++) {
 		enum nft_table_type type = h->tables[i].type;
@@ -472,7 +480,7 @@ static int fetch_set_cache(struct nft_handle *h,
 
 	ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
 	if (ret < 0 && errno == EINTR) {
-		assert(nft_restart(h) >= 0);
+		assert_nft_restart(h);
 		return ret;
 	}
 
@@ -512,7 +520,7 @@ static int __fetch_chain_cache(struct nft_handle *h,
 
 	ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
 	if (ret < 0 && errno == EINTR)
-		assert(nft_restart(h) >= 0);
+		assert_nft_restart(h);
 
 	return ret;
 }
@@ -606,7 +614,7 @@ static int nft_rule_list_update(struct nft_chain *nc, void *data)
 
 	ret = mnl_talk(h, nlh, nftnl_rule_list_cb, &rld);
 	if (ret < 0 && errno == EINTR)
-		assert(nft_restart(h) >= 0);
+		assert_nft_restart(h);
 
 	nftnl_rule_free(rule);
 
diff --git a/iptables/nft.c b/iptables/nft.c
index b702c65ae49aa..326dc20b21d65 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -109,7 +109,9 @@ static struct nftnl_batch *mnl_batch_init(void)
 
 static void mnl_nft_batch_continue(struct nftnl_batch *batch)
 {
-	assert(nftnl_batch_update(batch) >= 0);
+	int ret = nftnl_batch_update(batch);
+
+	assert(ret >= 0);
 }
 
 static uint32_t mnl_batch_begin(struct nftnl_batch *batch, uint32_t genid, uint32_t seqnum)
@@ -3227,6 +3229,7 @@ static int nft_action(struct nft_handle *h, int action)
 		case NFT_COMPAT_RULE_ZERO:
 		case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
 			assert(0);
+			return 0;
 		}
 
 		mnl_nft_batch_continue(h->batch);
@@ -3504,7 +3507,7 @@ static int nft_prepare(struct nft_handle *h)
 		case NFT_COMPAT_TABLE_ADD:
 		case NFT_COMPAT_CHAIN_ADD:
 			assert(0);
-			break;
+			return 0;
 		}
 
 		nft_cmd_free(cmd);
-- 
2.40.0







