[iptables PATCH 6/8] nft: __add_{match,target}() can't fail

Phil Sutter <phil@xxxxxx> · Thu, 1 Aug 2024 00:27:01 +0200

These functions either call xtables_error() which terminates the process
or succeed - make them return void. While at it, export them as rule
parsing code will call them in future. Also make input parameter const,
they're not supposed to alter extension data.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft.c | 28 ++++++++++------------------
 iptables/nft.h |  2 ++
 2 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 88be5ede5171d..cabcc884b4069 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1034,7 +1034,7 @@ int nft_chain_set(struct nft_handle *h, const char *table,
 	return 1;
 }
 
-static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m)
+void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m)
 {
 	void *info;
 
@@ -1044,8 +1044,6 @@ static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m)
 	info = xtables_calloc(1, m->u.match_size);
 	memcpy(info, m->data, m->u.match_size - sizeof(*m));
 	nftnl_expr_set(e, NFTNL_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m));
-
-	return 0;
 }
 
 static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m)
@@ -1378,11 +1376,10 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r,
 	if (udp->invflags > XT_UDP_INV_MASK ||
 	    udp_all_zero(udp)) {
 		struct nftnl_expr *expr = nftnl_expr_alloc("match");
-		int ret;
 
-		ret = __add_match(expr, m);
+		__add_match(expr, m);
 		nftnl_rule_add_expr(r, expr);
-		return ret;
+		return 0;
 	}
 
 	if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP)
@@ -1431,11 +1428,10 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r,
 	if (tcp->invflags & ~supported || tcp->option ||
 	    tcp_all_zero(tcp)) {
 		struct nftnl_expr *expr = nftnl_expr_alloc("match");
-		int ret;
 
-		ret = __add_match(expr, m);
+		__add_match(expr, m);
 		nftnl_rule_add_expr(r, expr);
-		return ret;
+		return 0;
 	}
 
 	if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_TCP)
@@ -1478,7 +1474,6 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	      struct nftnl_rule *r, struct xt_entry_match *m)
 {
 	struct nftnl_expr *expr;
-	int ret;
 
 	switch (ctx->command) {
 	case NFT_COMPAT_RULE_APPEND:
@@ -1503,13 +1498,13 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	if (expr == NULL)
 		return -ENOMEM;
 
-	ret = __add_match(expr, m);
+	__add_match(expr, m);
 	nftnl_rule_add_expr(r, expr);
 
-	return ret;
+	return 0;
 }
 
-static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t)
+void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t)
 {
 	void *info;
 
@@ -1520,8 +1515,6 @@ static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t)
 	info = xtables_calloc(1, t->u.target_size);
 	memcpy(info, t->data, t->u.target_size - sizeof(*t));
 	nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t));
-
-	return 0;
 }
 
 static int add_meta_nftrace(struct nftnl_rule *r)
@@ -1549,7 +1542,6 @@ static int add_meta_nftrace(struct nftnl_rule *r)
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
 {
 	struct nftnl_expr *expr;
-	int ret;
 
 	if (strcmp(t->u.user.name, "TRACE") == 0)
 		return add_meta_nftrace(r);
@@ -1558,10 +1550,10 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
 	if (expr == NULL)
 		return -ENOMEM;
 
-	ret = __add_target(expr, t);
+	__add_target(expr, t);
 	nftnl_rule_add_expr(r, expr);
 
-	return ret;
+	return 0;
 }
 
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict)
diff --git a/iptables/nft.h b/iptables/nft.h
index 8f17f3100a190..54fe5210ad1ac 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -192,8 +192,10 @@ bool nft_rule_is_policy_rule(struct nftnl_rule *r);
  */
 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
 int add_verdict(struct nftnl_rule *r, int verdict);
+void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m);
 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
 	      struct nftnl_rule *r, struct xt_entry_match *m);
+void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t);
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
-- 
2.43.0








