[PATCH nft 1/4] src: add create set command

[PATCH nft 1/4] src: add create set command

[Pablo Neira Ayuso]

Add support for the 'create' command, we already support this in other
existing objects, so support this for sets too, eg.

 # nft add set x y { type ipv4_addr\; }
 # nft create set x y { type ipv4_addr\; }
 <cmdline>:1:1-35: Error: Could not process rule: File exists
 create set x y { type ipv4_addr; }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 # nft add set x y { type ipv4_addr\; }
 #

This command sets the NLM_F_EXCL netlink flag, so if the object already
exists, nf_tables returns -EEXIST.

This is changing the existing behaviour of 'nft add set' which was
setting this flag, this is inconsistent with regards to the way other
objects behave.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/netlink.h  |  2 +-
 src/netlink.c      | 17 ++++++++++-------
 src/parser_bison.y | 14 ++++++++++++++
 src/rule.c         |  8 ++++----
 4 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 76a9da4..5f48707 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -148,7 +148,7 @@ extern int netlink_flush_table(struct netlink_ctx *ctx, const struct handle *h,
 			       const struct location *loc);
 
 extern int netlink_add_set(struct netlink_ctx *ctx, const struct handle *h,
-			   struct set *set);
+			   struct set *set, bool excl);
 extern int netlink_delete_set(struct netlink_ctx *ctx, const struct handle *h,
 			      const struct location *loc);
 extern int netlink_list_sets(struct netlink_ctx *ctx, const struct handle *h,
diff --git a/src/netlink.c b/src/netlink.c
index cf24c8a..f897b0e 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1117,8 +1117,10 @@ static struct set *netlink_delinearize_set(struct netlink_ctx *ctx,
 }
 
 static int netlink_add_set_compat(struct netlink_ctx *ctx,
-				  const struct handle *h, struct set *set)
+				  const struct handle *h, struct set *set,
+				  bool excl)
 {
+	unsigned int flags = excl ? NLM_F_EXCL : 0;
 	struct nftnl_set *nls;
 	int err;
 
@@ -1136,7 +1138,7 @@ static int netlink_add_set_compat(struct netlink_ctx *ctx,
 	}
 	netlink_dump_set(nls);
 
-	err = mnl_nft_set_add(nf_sock, nls, NLM_F_EXCL | NLM_F_ECHO);
+	err = mnl_nft_set_add(nf_sock, nls, NLM_F_ECHO | flags);
 	if (err < 0)
 		netlink_io_error(ctx, &set->location, "Could not add set: %s",
 				 strerror(errno));
@@ -1148,7 +1150,8 @@ static int netlink_add_set_compat(struct netlink_ctx *ctx,
 }
 
 static int netlink_add_set_batch(struct netlink_ctx *ctx,
-				 const struct handle *h, struct set *set)
+				 const struct handle *h, struct set *set,
+				 bool excl)
 {
 	struct nftnl_set *nls;
 	int err;
@@ -1183,7 +1186,7 @@ static int netlink_add_set_batch(struct netlink_ctx *ctx,
 
 	netlink_dump_set(nls);
 
-	err = mnl_nft_set_batch_add(nls, NLM_F_EXCL, ctx->seqnum);
+	err = mnl_nft_set_batch_add(nls, excl ? NLM_F_EXCL : 0, ctx->seqnum);
 	if (err < 0)
 		netlink_io_error(ctx, &set->location, "Could not add set: %s",
 				 strerror(errno));
@@ -1193,12 +1196,12 @@ static int netlink_add_set_batch(struct netlink_ctx *ctx,
 }
 
 int netlink_add_set(struct netlink_ctx *ctx, const struct handle *h,
-		    struct set *set)
+		    struct set *set, bool excl)
 {
 	if (ctx->batch_supported)
-		return netlink_add_set_batch(ctx, h, set);
+		return netlink_add_set_batch(ctx, h, set, excl);
 	else
-		return netlink_add_set_compat(ctx, h, set);
+		return netlink_add_set_compat(ctx, h, set, excl);
 }
 
 static int netlink_del_set_compat(struct netlink_ctx *ctx,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index a3d93bf..5d5ce8c 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -774,6 +774,20 @@ create_cmd		:	TABLE		table_spec
 				close_scope(state);
 				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_CHAIN, &$2, &@$, $5);
 			}
+			|	SET		set_spec	set_block_alloc
+						'{'	set_block	'}'
+			{
+				$5->location = @5;
+				handle_merge(&$3->handle, &$2);
+				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SET, &$2, &@$, $5);
+			}
+			|	MAP		set_spec	map_block_alloc
+						'{'	map_block	'}'
+			{
+				$5->location = @5;
+				handle_merge(&$3->handle, &$2);
+				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SET, &$2, &@$, $5);
+			}
 			;
 
 insert_cmd		:	RULE		rule_position	rule
diff --git a/src/rule.c b/src/rule.c
index 14e57f2..54edd8c 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -906,9 +906,9 @@ static int do_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
 }
 
 static int do_add_set(struct netlink_ctx *ctx, const struct handle *h,
-		      struct set *set)
+		      struct set *set, bool excl)
 {
-	if (netlink_add_set(ctx, h, set) < 0)
+	if (netlink_add_set(ctx, h, set, excl) < 0)
 		return -1;
 	if (set->init != NULL)
 		return __do_add_setelems(ctx, &set->handle, set, set->init);
@@ -934,7 +934,7 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h,
 		}
 		list_for_each_entry(set, &table->sets, list) {
 			handle_merge(&set->handle, &table->handle);
-			if (do_add_set(ctx, &set->handle, set) < 0)
+			if (do_add_set(ctx, &set->handle, set, excl) < 0)
 				return -1;
 		}
 		list_for_each_entry(chain, &table->chains, list) {
@@ -958,7 +958,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
 		return netlink_add_rule_batch(ctx, &cmd->handle,
 					      cmd->rule, NLM_F_APPEND);
 	case CMD_OBJ_SET:
-		return do_add_set(ctx, &cmd->handle, cmd->set);
+		return do_add_set(ctx, &cmd->handle, cmd->set, excl);
 	case CMD_OBJ_SETELEM:
 		return do_add_setelems(ctx, &cmd->handle, cmd->expr);
 	default:
-- 
2.1.4

[PATCH nft 2/4] tests: shell: cover add and create set command

[Pablo Neira Ayuso]

This patch validates that creation of an already existing set bails out
with EEXIST.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/0006create_set_0 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0006create_set_0

diff --git a/tests/shell/testcases/sets/0006create_set_0 b/tests/shell/testcases/sets/0006create_set_0
new file mode 100755
index 0000000..ca36cf7
--- /dev/null
+++ b/tests/shell/testcases/sets/0006create_set_0
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# This testscase checks for add and create set commands.
+
+set -e
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; }
+if $NFT create set t s { type ipv4_addr \; } 2>/dev/null ; then
+	echo "E: accepted set creation that already exists" >&2
+	exit 1
+fi
+$NFT add set t s { type ipv4_addr \; }
+
+exit 0
-- 
2.1.4

[PATCH nft 3/4] src: create element command

[Pablo Neira Ayuso]

This patch adds the create command, that send the NLM_F_EXCL flag so
nf_tables bails out if the element already exists, eg.

 # nft add element x y { 1.1.1.1 }
 # nft create element x y { 1.1.1.1 }
 <cmdline>:1:1-31: Error: Could not process rule: File exists
 create element x y { 1.1.1.1 }
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This update requires nf_tables kernel patches to honor the NLM_F_EXCL.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/netlink.h  |  2 +-
 src/netlink.c      | 15 ++++++++-------
 src/parser_bison.y |  4 ++++
 src/rule.c         | 13 +++++++------
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/include/netlink.h b/include/netlink.h
index 5f48707..28c11f6 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -160,7 +160,7 @@ extern struct stmt *netlink_parse_set_expr(const struct set *set,
 					   const struct nftnl_expr *nle);
 
 extern int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
-				const struct expr *expr);
+				const struct expr *expr, bool excl);
 extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle *h,
 				   const struct expr *expr);
 extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h,
diff --git a/src/netlink.c b/src/netlink.c
index f897b0e..f8da2a6 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1318,7 +1318,7 @@ static void alloc_setelem_cache(const struct expr *set, struct nftnl_set *nls)
 
 static int netlink_add_setelems_batch(struct netlink_ctx *ctx,
 				      const struct handle *h,
-				      const struct expr *expr)
+				      const struct expr *expr, bool excl)
 {
 	struct nftnl_set *nls;
 	int err;
@@ -1327,7 +1327,8 @@ static int netlink_add_setelems_batch(struct netlink_ctx *ctx,
 	alloc_setelem_cache(expr, nls);
 	netlink_dump_set(nls);
 
-	err = mnl_nft_setelem_batch_add(nls, 0, ctx->seqnum);
+	err = mnl_nft_setelem_batch_add(nls, excl ? NLM_F_EXCL : 0,
+					ctx->seqnum);
 	nftnl_set_free(nls);
 	if (err < 0)
 		netlink_io_error(ctx, &expr->location,
@@ -1338,7 +1339,7 @@ static int netlink_add_setelems_batch(struct netlink_ctx *ctx,
 
 static int netlink_add_setelems_compat(struct netlink_ctx *ctx,
 				       const struct handle *h,
-				       const struct expr *expr)
+				       const struct expr *expr, bool excl)
 {
 	struct nftnl_set *nls;
 	int err;
@@ -1347,7 +1348,7 @@ static int netlink_add_setelems_compat(struct netlink_ctx *ctx,
 	alloc_setelem_cache(expr, nls);
 	netlink_dump_set(nls);
 
-	err = mnl_nft_setelem_add(nf_sock, nls, 0);
+	err = mnl_nft_setelem_add(nf_sock, nls, excl ? NLM_F_EXCL : 0);
 	nftnl_set_free(nls);
 	if (err < 0)
 		netlink_io_error(ctx, &expr->location,
@@ -1357,12 +1358,12 @@ static int netlink_add_setelems_compat(struct netlink_ctx *ctx,
 }
 
 int netlink_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
-			 const struct expr *expr)
+			 const struct expr *expr, bool excl)
 {
 	if (ctx->batch_supported)
-		return netlink_add_setelems_batch(ctx, h, expr);
+		return netlink_add_setelems_batch(ctx, h, expr, excl);
 	else
-		return netlink_add_setelems_compat(ctx, h, expr);
+		return netlink_add_setelems_compat(ctx, h, expr, excl);
 }
 
 static int netlink_del_setelems_batch(struct netlink_ctx *ctx,
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 5d5ce8c..8c0f625 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -788,6 +788,10 @@ create_cmd		:	TABLE		table_spec
 				handle_merge(&$3->handle, &$2);
 				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SET, &$2, &@$, $5);
 			}
+			|	ELEMENT		set_spec	set_expr
+			{
+				$$ = cmd_alloc(CMD_CREATE, CMD_OBJ_SETELEM, &$2, &@$, $3);
+			}
 			;
 
 insert_cmd		:	RULE		rule_position	rule
diff --git a/src/rule.c b/src/rule.c
index 54edd8c..8c58bfa 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -881,20 +881,20 @@ static int do_add_chain(struct netlink_ctx *ctx, const struct handle *h,
 }
 
 static int __do_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
-			     struct set *set, struct expr *expr)
+			     struct set *set, struct expr *expr, bool excl)
 {
 	if (set->flags & SET_F_INTERVAL &&
 	    set_to_intervals(ctx->msgs, set, expr, true) < 0)
 		return -1;
 
-	if (netlink_add_setelems(ctx, h, expr) < 0)
+	if (netlink_add_setelems(ctx, h, expr, excl) < 0)
 		return -1;
 
 	return 0;
 }
 
 static int do_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
-			   struct expr *init)
+			   struct expr *init, bool excl)
 {
 	struct table *table;
 	struct set *set;
@@ -902,7 +902,7 @@ static int do_add_setelems(struct netlink_ctx *ctx, const struct handle *h,
 	table = table_lookup(h);
 	set = set_lookup(table, h->set);
 
-	return __do_add_setelems(ctx, h, set, init);
+	return __do_add_setelems(ctx, h, set, init, excl);
 }
 
 static int do_add_set(struct netlink_ctx *ctx, const struct handle *h,
@@ -911,7 +911,8 @@ static int do_add_set(struct netlink_ctx *ctx, const struct handle *h,
 	if (netlink_add_set(ctx, h, set, excl) < 0)
 		return -1;
 	if (set->init != NULL)
-		return __do_add_setelems(ctx, &set->handle, set, set->init);
+		return __do_add_setelems(ctx, &set->handle, set, set->init,
+					 false);
 
 	return 0;
 }
@@ -960,7 +961,7 @@ static int do_command_add(struct netlink_ctx *ctx, struct cmd *cmd, bool excl)
 	case CMD_OBJ_SET:
 		return do_add_set(ctx, &cmd->handle, cmd->set, excl);
 	case CMD_OBJ_SETELEM:
-		return do_add_setelems(ctx, &cmd->handle, cmd->expr);
+		return do_add_setelems(ctx, &cmd->handle, cmd->expr, excl);
 	default:
 		BUG("invalid command object type %u\n", cmd->obj);
 	}
-- 
2.1.4

[PATCH nft 4/4] tests: shell: cover add and create set command

[Pablo Neira Ayuso]

This patch validates that creation of an already existing element
bails out with EEXIST.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/0007create_element_0 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0007create_element_0

diff --git a/tests/shell/testcases/sets/0007create_element_0 b/tests/shell/testcases/sets/0007create_element_0
new file mode 100755
index 0000000..47b3559
--- /dev/null
+++ b/tests/shell/testcases/sets/0007create_element_0
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# This testcase checks for add and create element commands.
+
+set -e
+$NFT add table t
+$NFT add set t s { type ipv4_addr \; }
+$NFT add element t s { 1.1.1.1 }
+if $NFT create element t s { 1.1.1.1 } 2>/dev/null ; then
+	echo "E: accepted element creation that already exists" >&2
+	exit 1
+fi
+$NFT add element t s { 1.1.1.1 }
+
+exit 0
-- 
2.1.4