From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH 2/3] src/evaluate.c: improve rule management checks
Date: Wed, 23 Mar 2016 17:08:34 +0100 [thread overview]
Message-ID: <20160323160834.GA6981@salvia> (raw)
In-Reply-To: <145873749855.10004.10666252455830923605.stgit@nfdev2.cica.es>
[-- Attachment #1: Type: text/plain, Size: 956 bytes --]
On Wed, Mar 23, 2016 at 01:51:38PM +0100, Arturo Borrero Gonzalez wrote:
> Improve checks (and error reporting) for basic rule management operations.
>
> This includes a fix for netfilter bug #965.
Thanks for working on this.
With a bit more work we can achieve better error reporting:
# nft insert rule x y handle 10 position 10 ip saddr 1.1.1.1
<cmdline>:1:17-25: Error: Wrong combination, use `position' instead
insert rule x y handle 10 position 10 ip saddr 1.1.1.1
^^^^^^^^^ ~~~~~~~~~~~
# nft insert rule x y handle 10 ip saddr 1.1.1.1
<cmdline>:1:17-25: Error: Cannot use this, use `position' instead
insert rule x y handle 10 ip saddr 1.1.1.1
^^^^^^^^^
You will need to rework this patch applying this patch in first place:
http://patchwork.ozlabs.org/patch/601270/
I'm also attaching a quick patch for the two examples, but remaining
spots are left unchanges. Please feel free to follow up on this.
Thanks.
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 2935 bytes --]
diff --git a/src/evaluate.c b/src/evaluate.c
index 473f014..db89a0f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -65,6 +65,12 @@ static int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx,
__stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
#define cmd_error(ctx, fmt, args...) \
__stmt_binary_error(ctx, &(ctx->cmd)->location, NULL, fmt, ## args)
+#define handle_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.handle.location, NULL, fmt, ## args)
+#define position_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.position.location, NULL, fmt, ## args)
+#define handle_position_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.handle.location, &ctx->cmd->handle.position.location, fmt, ## args)
static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx,
const struct set *set,
@@ -2160,11 +2166,61 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
return 0;
}
+static int rule_evaluate_cmd(struct eval_ctx *ctx)
+{
+ struct handle *handle = &ctx->cmd->handle;
+
+ /* allowed:
+ * - insert [position] (no handle)
+ * - add [position] (no handle)
+ * - replace <handle> (no position)
+ * - delete <handle> (no position)
+ */
+
+ switch (ctx->cmd->op) {
+ case CMD_INSERT:
+ if (handle->handle.id && handle->position.id)
+ return handle_position_error(ctx, "Wrong combination, use `position' instead");
+
+ if (handle->handle.id != 0)
+ return handle_error(ctx, "Cannot use this, use `position' instead");
+ break;
+ case CMD_ADD:
+ if (handle->handle.id != 0)
+ return cmd_error(ctx, "Could not add rule: handle not "
+ "allowed.");
+ break;
+ case CMD_REPLACE:
+ if (handle->position.id != 0)
+ return cmd_error(ctx, "Could not replace rule: "
+ "position not allowed.");
+ if (handle->handle.id == 0)
+ return cmd_error(ctx, "Could not replace rule: missing"
+ " handle.");
+ break;
+ case CMD_DELETE:
+ if (handle->position.id != 0)
+ return cmd_error(ctx, "Could not delete rule: position"
+ " not allowed.");
+ if (handle->handle.id == 0)
+ return cmd_error(ctx, "Could not delete rule: missing "
+ "handle.");
+ break;
+ default:
+ BUG("unkown command type %u\n", ctx->cmd->op);
+ }
+
+ return 0;
+}
+
static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
{
struct stmt *stmt, *tstmt = NULL;
struct error_record *erec;
+ if (rule_evaluate_cmd(ctx) < 0)
+ return -1;
+
proto_ctx_init(&ctx->pctx, rule->handle.family);
memset(&ctx->ectx, 0, sizeof(ctx->ectx));
@@ -2345,8 +2401,11 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
return ret;
return setelem_evaluate(ctx, &cmd->expr);
- case CMD_OBJ_SET:
case CMD_OBJ_RULE:
+ if (rule_evaluate_cmd(ctx) < 0)
+ return -1;
+ /* fall through */
+ case CMD_OBJ_SET:
case CMD_OBJ_CHAIN:
case CMD_OBJ_TABLE:
return 0;
next prev parent reply other threads:[~2016-03-23 16:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 12:51 [nft PATCH 1/3] src/rule.c: don't print trailing statement whitespace Arturo Borrero Gonzalez
2016-03-23 12:51 ` [nft PATCH 2/3] src/evaluate.c: improve rule management checks Arturo Borrero Gonzalez
2016-03-23 16:08 ` Pablo Neira Ayuso [this message]
2016-03-28 11:32 ` Arturo Borrero Gonzalez
2016-04-07 16:39 ` Pablo Neira Ayuso
2016-03-23 12:51 ` [nft PATCH 3/3] tests/shell: add testcases for Netfilter bug #965 Arturo Borrero Gonzalez
2016-04-12 23:29 ` Pablo Neira Ayuso
2016-03-29 11:17 ` [nft PATCH 1/3] src/rule.c: don't print trailing statement whitespace Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160323160834.GA6981@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.