mnl_nft_dump_nf_hooks() can call itself for the UNSPEC case, this
avoids the second switch/case to handle printing for inet/unspec.
As for the error handling, 'nft list hooks' should not print an error,
even if nothing is printed, UNLESS there was also a lowlevel (syscall)
error from the kernel.
We don't want to indicate failure just because e.g. kernel doesn't support
NFPROTO_ARP.
This also fixes a display bug, 'nft list hooks device foo' would show hooks
registered for that device as 'bridge' family instead of the expected
'netdev' family.
This was because UNSPEC handling did not query 'netdev' family and did
pass the device name to the lowlevel function. Add it, and pass NULL
device name for those families that don't support device attachment.
The lowelevel function currently always queries NFPROTO_NETDEV to handle
the 'inet' ingress case.
This is dubious, as 'inet ingress' is a pseudo-alias to netdev family
(inet itself is a pseudo-family that ends up registering for both ipv4
and ipv6 hooks).
This is resolved in next patch.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/mnl.c | 98 ++++++++++++++++++++-----------------------------------
1 file changed, 35 insertions(+), 63 deletions(-)
diff --git a/src/mnl.c b/src/mnl.c
index ec7d2bd5defc..e4bbbcf6d536 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -2518,65 +2518,42 @@ static void print_hooks(struct netlink_ctx *ctx, int family, struct list_head *h
fprintf(fp, "}\n");
}
-#define HOOK_FAMILY_MAX 5
-
-static uint8_t hook_family[HOOK_FAMILY_MAX] = {
- NFPROTO_IPV4,
- NFPROTO_IPV6,
- NFPROTO_BRIDGE,
- NFPROTO_ARP,
-};
-
static int mnl_nft_dump_nf(struct netlink_ctx *ctx, int family, int hook,
- const char *devname, struct list_head *hook_list,
- int *ret)
+ const char *devname, struct list_head *hook_list)
{
int i, err;
/* show ingress in first place in hook listing. */
err = __mnl_nft_dump_nf_hooks(ctx, family, NFPROTO_NETDEV, NF_NETDEV_INGRESS, devname, hook_list);
- if (err < 0)
- *ret = err;
for (i = 0; i <= NF_INET_POST_ROUTING; i++) {
- err = __mnl_nft_dump_nf_hooks(ctx, family, family, i, devname, hook_list);
- if (err < 0)
- *ret = err;
+ int tmp;
+
+ tmp = __mnl_nft_dump_nf_hooks(ctx, family, family, i, devname, hook_list);
+ if (tmp == 0)
+ err = 0;
}
return err;
}
static int mnl_nft_dump_nf_arp(struct netlink_ctx *ctx, int family, int hook,
- const char *devname, struct list_head *hook_list,
- int *ret)
+ const char *devname, struct list_head *hook_list)
{
- int err;
-
- /* show ingress in first place in hook listing. */
- err = __mnl_nft_dump_nf_hooks(ctx, family, NFPROTO_NETDEV, NF_NETDEV_INGRESS, devname, hook_list);
- if (err < 0)
- *ret = err;
+ int err1, err2;
- err = __mnl_nft_dump_nf_hooks(ctx, family, family, NF_ARP_IN, devname, hook_list);
- if (err < 0)
- *ret = err;
- err = __mnl_nft_dump_nf_hooks(ctx, family, family, NF_ARP_OUT, devname, hook_list);
- if (err < 0)
- *ret = err;
+ err1 = __mnl_nft_dump_nf_hooks(ctx, family, family, NF_ARP_IN, devname, hook_list);
+ err2 = __mnl_nft_dump_nf_hooks(ctx, family, family, NF_ARP_OUT, devname, hook_list);
- return err;
+ return err1 ? err2 : err1;
}
static int mnl_nft_dump_nf_netdev(struct netlink_ctx *ctx, int family, int hook,
- const char *devname, struct list_head *hook_list,
- int *ret)
+ const char *devname, struct list_head *hook_list)
{
int err;
err = __mnl_nft_dump_nf_hooks(ctx, family, NFPROTO_NETDEV, NF_NETDEV_INGRESS, devname, hook_list);
- if (err < 0)
- *ret = err;
return err;
}
@@ -2592,51 +2569,46 @@ static void release_hook_list(struct list_head *hook_list)
int mnl_nft_dump_nf_hooks(struct netlink_ctx *ctx, int family, int hook, const char *devname)
{
LIST_HEAD(hook_list);
- unsigned int i;
- int ret;
+ int ret = -1, tmp;
errno = 0;
- ret = 0;
switch (family) {
case NFPROTO_UNSPEC:
- mnl_nft_dump_nf(ctx, NFPROTO_IPV4, hook, devname, &hook_list, &ret);
- mnl_nft_dump_nf(ctx, NFPROTO_IPV6, hook, devname, &hook_list, &ret);
- mnl_nft_dump_nf(ctx, NFPROTO_BRIDGE, hook, devname, &hook_list, &ret);
- break;
+ ret = mnl_nft_dump_nf_hooks(ctx, NFPROTO_ARP, hook, NULL);
+ tmp = mnl_nft_dump_nf_hooks(ctx, NFPROTO_INET, hook, devname);
+ if (tmp == 0)
+ ret = 0;
+ tmp = mnl_nft_dump_nf_hooks(ctx, NFPROTO_BRIDGE, hook, NULL);
+ if (tmp == 0)
+ ret = 0;
+ tmp = mnl_nft_dump_nf_hooks(ctx, NFPROTO_NETDEV, hook, devname);
+ if (tmp == 0)
+ ret = 0;
+
+ return ret;
case NFPROTO_INET:
- mnl_nft_dump_nf(ctx, NFPROTO_IPV4, hook, devname, &hook_list, &ret);
- mnl_nft_dump_nf(ctx, NFPROTO_IPV6, hook, devname, &hook_list, &ret);
- break;
+ ret = mnl_nft_dump_nf_hooks(ctx, NFPROTO_IPV4, hook, devname);
+ tmp = mnl_nft_dump_nf_hooks(ctx, NFPROTO_IPV6, hook, devname);
+ if (tmp == 0)
+ ret = 0;
+
+ return ret;
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
- mnl_nft_dump_nf(ctx, family, hook, devname, &hook_list, &ret);
+ ret = mnl_nft_dump_nf(ctx, family, hook, devname, &hook_list);
break;
case NFPROTO_ARP:
- mnl_nft_dump_nf_arp(ctx, family, hook, devname, &hook_list, &ret);
+ ret = mnl_nft_dump_nf_arp(ctx, family, hook, devname, &hook_list);
break;
case NFPROTO_NETDEV:
- mnl_nft_dump_nf_netdev(ctx, family, hook, devname, &hook_list, &ret);
- break;
- }
-
- switch (family) {
- case NFPROTO_UNSPEC:
- for (i = 0; i < HOOK_FAMILY_MAX; i++)
- print_hooks(ctx, hook_family[i], &hook_list);
- break;
- case NFPROTO_INET:
- print_hooks(ctx, NFPROTO_IPV4, &hook_list);
- print_hooks(ctx, NFPROTO_IPV6, &hook_list);
- break;
- default:
- print_hooks(ctx, family, &hook_list);
+ ret = mnl_nft_dump_nf_netdev(ctx, family, hook, devname, &hook_list);
break;
}
+ print_hooks(ctx, family, &hook_list);
release_hook_list(&hook_list);
- ret = 0;
return ret;
}
--
2.44.2
