[PATCH RFC] nftables: fix surpression of "permission denied" errors

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH RFC] nftables: fix surpression of "permission denied" errors
Date: Wed, 8 Jan 2014 20:58:13 +0000	[thread overview]
Message-ID: <20140108205813.GA5186@macbook.localnet> (raw)

commit 8ca6730e9c8fd59d8a03ae505777a8a6b97898b1
Author: Patrick McHardy <kaber@trash.net>
Date:   Wed Jan 8 20:57:11 2014 +0000

    nftables: fix surpression of "permission denied" errors
    
    ntroduction of batch support broke displaying of EPERM since those are
    generated by the kernel before batch processing start and thus have the
    sequence number of the NFNL_MSG_BATCH_BEGIN message instead of the
    command messages. Also only a single error message is generated for the
    entire batch.
    
    This patch fixes this by noting the batch sequence number and displaying
    the error for all commands since this is what would happen if the
    permission check was inside batch processing as every other check.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/mnl.h b/include/mnl.h
index fe2fb40..a630605 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -18,7 +18,7 @@ void mnl_err_list_free(struct mnl_err *err);
 void mnl_batch_init(void);
 bool mnl_batch_ready(void);
 void mnl_batch_reset(void);
-void mnl_batch_begin(void);
+uint32_t mnl_batch_begin(void);
 void mnl_batch_end(void);
 int mnl_batch_talk(struct mnl_socket *nl, struct list_head *err_list);
 int mnl_nft_rule_batch_add(struct nft_rule *nlr, unsigned int flags,
diff --git a/src/main.c b/src/main.c
index 859ddaa..33a02e1 100644
--- a/src/main.c
+++ b/src/main.c
@@ -160,9 +160,10 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs)
 	struct cmd *cmd, *next;
 	struct mnl_err *err, *tmp;
 	LIST_HEAD(err_list);
+	uint32_t batch_seqnum;
 	int ret = 0;
 
-	mnl_batch_begin();
+	batch_seqnum = mnl_batch_begin();
 	list_for_each_entry(cmd, &state->cmds, list) {
 		memset(&ctx, 0, sizeof(ctx));
 		ctx.msgs = msgs;
@@ -183,12 +184,15 @@ static int nft_netlink(struct parser_state *state, struct list_head *msgs)
 
 	list_for_each_entry_safe(err, tmp, &err_list, head) {
 		list_for_each_entry(cmd, &state->cmds, list) {
-			if (err->seqnum == cmd->seqnum) {
+			if (err->seqnum == cmd->seqnum ||
+			    err->seqnum == batch_seqnum) {
 				netlink_io_error(&ctx, &cmd->location,
 					"Could not process rule in batch: %s",
 					strerror(err->err));
-				mnl_err_list_free(err);
-				break;
+				if (err->seqnum == cmd->seqnum) {
+					mnl_err_list_free(err);
+					break;
+				}
 			}
 		}
 	}
diff --git a/src/mnl.c b/src/mnl.c
index a711b5e..a4a4c4a 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -106,7 +106,7 @@ static void mnl_batch_page_add(void)
 	batch = mnl_batch_alloc();
 }
 
-static void mnl_batch_put(int type)
+static uint32_t mnl_batch_put(int type)
 {
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfg;
@@ -123,11 +123,13 @@ static void mnl_batch_put(int type)
 
 	if (!mnl_nlmsg_batch_next(batch))
 		mnl_batch_page_add();
+
+	return nlh->nlmsg_seq;
 }
 
-void mnl_batch_begin(void)
+uint32_t mnl_batch_begin(void)
 {
-	mnl_batch_put(NFNL_MSG_BATCH_BEGIN);
+	return mnl_batch_put(NFNL_MSG_BATCH_BEGIN);
 }
 
 void mnl_batch_end(void)

next             reply	other threads:[~2014-01-08 20:58 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-08 20:58 Patrick McHardy [this message]
2014-01-09 17:40 ` [PATCH RFC] nftables: fix surpression of "permission denied" errors Pablo Neira Ayuso
2014-01-09 18:01   ` Patrick McHardy
2014-01-09 18:48     ` Pablo Neira Ayuso
2014-01-09 18:52       ` Patrick McHardy

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fe2fb40 dfblob:a630605 dfblob:859ddaa dfblob:33a02e1
dfblob:a711b5e dfblob:a4a4c4a )
 OR (
bs:"[PATCH RFC] nftables: fix surpression of "
bs:"permission denied"
bs:" errors" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140108205813.GA5186@macbook.localnet \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).