Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote:
> To reproduce this, create the following ruleset:
>
> ------------------------------------
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> create table ip nat
> create table inet filter
>
> create chain ip nat testchain
>
> delete table ip testtable
> ------------------------------------
>
> When you apply the ruleset, you get the following:
>
> # nft -f main.nft
>
> # nft list ruleset
> table inet filter {
> }
I will push following patch to fix this:
Subject: mnl: name is ignored when deleting a table
nlt is reallocated, leaking first allocation and also removing
the table name/handle that was set on nlt object.
Add a test case for this as well, the batch is supposed to fail
when trying to delete a non-existant table, rather than wiping
all tables in the same address family.
Fixes: 12c362e2214a0 ("mnl: remove alloc_nftnl_table()")
Reported-by: Mikhail Morfikov <mmorfikov@xxxxxxxxx>
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
src/mnl.c | 4 ---
.../shell/testcases/transactions/0003table_0 | 35 +++++++++++++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/src/mnl.c b/src/mnl.c
index c3d16774f71f..dde232c7e29c 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -664,10 +664,6 @@ int mnl_nft_table_del(struct netlink_ctx *ctx, const struct cmd *cmd)
nftnl_table_set_u64(nlt, NFTNL_TABLE_HANDLE,
cmd->handle.handle.id);
- nlt = nftnl_table_alloc();
- if (nlt == NULL)
- memory_allocation_error();
-
nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(ctx->batch),
NFT_MSG_DELTABLE,
cmd->handle.family,
diff --git a/tests/shell/testcases/transactions/0003table_0 b/tests/shell/testcases/transactions/0003table_0
index 6e508fc2a02c..6861eabab125 100755
--- a/tests/shell/testcases/transactions/0003table_0
+++ b/tests/shell/testcases/transactions/0003table_0
@@ -11,3 +11,38 @@ if [ $? -ne 0 ] ; then
echo "E: unable to load good ruleset" >&2
exit 1
fi
+
+KERNEL_RULESET="$($NFT list ruleset)"
+if [ "" != "$KERNEL_RULESET" ] ; then
+ DIFF="$(which diff)"
+ echo "Got a ruleset, but expected empty: "
+ echo "$KERNEL_RULESET"
+ exit 1
+fi
+
+RULESET="table ip x {
+}
+table ip y {
+}"
+
+$NFT -f - <<< "$RULESET"
+if [ $? -ne 0 ] ; then
+ echo "E: unable to load good ruleset" >&2
+ exit 1
+fi
+
+RULESETFAIL="flush ruleset
+create table ip nat
+create table inet filter
+create chain ip nat testchain
+delete table ip testtable"
+
+# testtable doesn't exist, batch expected to fail
+$NFT -f - <<< "$RULESETFAIL" && exit 2
+
+KERNEL_RULESET="$($NFT list ruleset)"
+if [ "$RULESET" != "$KERNEL_RULESET" ] ; then
+ DIFF="$(which diff)"
+ [ -x $DIFF ] && $DIFF -u <(echo "$RULESET") <(echo "$KERNEL_RULESET")
+ exit 1
+fi
--
2.19.2
