[PATCH nft] rule: check for EINTR error from cache_init_objects() for stateful objects

[PATCH nft] rule: check for EINTR error from cache_init_objects() for stateful objects

[Pablo Neira Ayuso]

Catch -1 case, so we have a chance to handle EINTR.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index f2ffd4b27e8a..b5181a90f795 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -96,10 +96,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, enum cmd_ops cmd)
 		list_splice_tail_init(&ctx->list, &table->chains);
 
 		if (cmd != CMD_RESET) {
-			/* Don't check for errors on listings, this would break
-			 * nft with old kernels with no stateful object support.
-			 */
-			netlink_list_objs(ctx, &table->handle, &internal_location);
+			ret = netlink_list_objs(ctx, &table->handle, &internal_location);
+			if (ret < 0)
+				return -1;
 			list_splice_tail_init(&ctx->list, &table->objs);
 		}
 
-- 
2.1.4

[PATCH nft] rule: check for EINTR error from cache_init_objects() for stateful objects

[Pablo Neira Ayuso]

Catch -1 case, so we have a chance to handle EINTR.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/rule.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index f2ffd4b27e8a..b5181a90f795 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -96,10 +96,9 @@ static int cache_init_objects(struct netlink_ctx *ctx, enum cmd_ops cmd)
 		list_splice_tail_init(&ctx->list, &table->chains);
 
 		if (cmd != CMD_RESET) {
-			/* Don't check for errors on listings, this would break
-			 * nft with old kernels with no stateful object support.
-			 */
-			netlink_list_objs(ctx, &table->handle, &internal_location);
+			ret = netlink_list_objs(ctx, &table->handle, &internal_location);
+			if (ret < 0)
+				return -1;
 			list_splice_tail_init(&ctx->list, &table->objs);
 		}
 
-- 
2.1.4

[PATCH nft] tests: shell: validate set size

[Pablo Neira Ayuso]

Add two tests to make sure that set size checks work fine:

1) Check if set size is indeed working, this is a simple one.
2) Check if set size is correct after ENFILE error, there is bug that
   adds a new spare slot everytime we hit this.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/0018set_check_size_1 |  8 ++++++++
 tests/shell/testcases/sets/0019set_check_size_0 | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100755 tests/shell/testcases/sets/0018set_check_size_1
 create mode 100755 tests/shell/testcases/sets/0019set_check_size_0

diff --git a/tests/shell/testcases/sets/0018set_check_size_1 b/tests/shell/testcases/sets/0018set_check_size_1
new file mode 100755
index 000000000000..833b8e2bd877
--- /dev/null
+++ b/tests/shell/testcases/sets/0018set_check_size_1
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.2}
+$NFT add element x s {1.1.1.3}
diff --git a/tests/shell/testcases/sets/0019set_check_size_0 b/tests/shell/testcases/sets/0019set_check_size_0
new file mode 100755
index 000000000000..c20970838bf9
--- /dev/null
+++ b/tests/shell/testcases/sets/0019set_check_size_0
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+$NFT add table x
+$NFT add set x s {type ipv4_addr\; size 2\;}
+$NFT add element x s {1.1.1.1}
+$NFT add element x s {1.1.1.2}
+
+$NFT add element x s { 1.1.1.3 } 2>/dev/null
+if [ $? -eq 0 ]; then
+        echo "E: set is full, but element was added" >&2
+	exit 1
+fi
+#
+# Try again, this helps us catch incorrect set->nelems decrement from abort path
+#
+$NFT add element x s { 1.1.1.3 } 2>/dev/null
+if [ $? -eq 0 ]; then
+        echo "E: set is full, but element was added" >&2
+	exit 1
+fi
-- 
2.1.4