[PATCH nft] mnl: check for NLM_F_DUMP_INTR when dumping object lists

[PATCH nft] mnl: check for NLM_F_DUMP_INTR when dumping object lists

[Pablo Neira Ayuso]

This flag allows to detect that an update has ocurred while dumping
any of the object lists.

<cmdline>:1:1-17: Error: Could not receive rules from kernel: Interrupted system call
list table filter
^^^^^^^^^^^^^^^^^

Basically, the user has to retry to make sure that it saves the current
rule-set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/mnl.c b/src/mnl.c
index a816106..d3c91b4 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -363,6 +363,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
 	struct nft_rule_list *nlr_list = data;
 	struct nft_rule *r;
 
+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
+		return MNL_CB_ERROR;
+
 	r = nft_rule_alloc();
 	if (r == NULL)
 		memory_allocation_error();
@@ -474,6 +477,9 @@ static int chain_cb(const struct nlmsghdr *nlh, void *data)
 	struct nft_chain_list *nlc_list = data;
 	struct nft_chain *c;
 
+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
+		return MNL_CB_ERROR;
+
 	c = nft_chain_alloc();
 	if (c == NULL)
 		memory_allocation_error();
@@ -603,6 +609,9 @@ static int table_cb(const struct nlmsghdr *nlh, void *data)
 	struct nft_table_list *nlt_list = data;
 	struct nft_table *t;
 
+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
+		return MNL_CB_ERROR;
+
 	t = nft_table_alloc();
 	if (t == NULL)
 		memory_allocation_error();
@@ -736,6 +745,9 @@ static int set_cb(const struct nlmsghdr *nlh, void *data)
 	struct nft_set_list *nls_list = data;
 	struct nft_set *s;
 
+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
+		return MNL_CB_ERROR;
+
 	s = nft_set_alloc();
 	if (s == NULL)
 		memory_allocation_error();
@@ -839,6 +851,9 @@ int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nft_set *nls,
 
 static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
 {
+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
+		return MNL_CB_ERROR;
+
 	nft_set_elems_nlmsg_parse(nlh, data);
 	return MNL_CB_OK;
 }
-- 
1.7.10.4

Re: [PATCH nft] mnl: check for NLM_F_DUMP_INTR when dumping object lists

[Patrick McHardy]

On 4. Juli 2014 12:32:22 MESZ, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>This flag allows to detect that an update has ocurred while dumping
>any of the object lists.
>
><cmdline>:1:1-17: Error: Could not receive rules from kernel:
>Interrupted system call
>list table filter
>^^^^^^^^^^^^^^^^^
>
>Basically, the user has to retry to make sure that it saves the current
>rule-set.

Shouldn't we automatically handle this? Transient failure is really bad for many reasons.

>
>Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>---
> src/mnl.c |   15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
>diff --git a/src/mnl.c b/src/mnl.c
>index a816106..d3c91b4 100644
>--- a/src/mnl.c
>+++ b/src/mnl.c
>@@ -363,6 +363,9 @@ static int rule_cb(const struct nlmsghdr *nlh, void
>*data)
> 	struct nft_rule_list *nlr_list = data;
> 	struct nft_rule *r;
> 
>+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
>+		return MNL_CB_ERROR;
>+
> 	r = nft_rule_alloc();
> 	if (r == NULL)
> 		memory_allocation_error();
>@@ -474,6 +477,9 @@ static int chain_cb(const struct nlmsghdr *nlh,
>void *data)
> 	struct nft_chain_list *nlc_list = data;
> 	struct nft_chain *c;
> 
>+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
>+		return MNL_CB_ERROR;
>+
> 	c = nft_chain_alloc();
> 	if (c == NULL)
> 		memory_allocation_error();
>@@ -603,6 +609,9 @@ static int table_cb(const struct nlmsghdr *nlh,
>void *data)
> 	struct nft_table_list *nlt_list = data;
> 	struct nft_table *t;
> 
>+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
>+		return MNL_CB_ERROR;
>+
> 	t = nft_table_alloc();
> 	if (t == NULL)
> 		memory_allocation_error();
>@@ -736,6 +745,9 @@ static int set_cb(const struct nlmsghdr *nlh, void
>*data)
> 	struct nft_set_list *nls_list = data;
> 	struct nft_set *s;
> 
>+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
>+		return MNL_CB_ERROR;
>+
> 	s = nft_set_alloc();
> 	if (s == NULL)
> 		memory_allocation_error();
>@@ -839,6 +851,9 @@ int mnl_nft_setelem_delete(struct mnl_socket
>*nf_sock, struct nft_set *nls,
> 
> static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
> {
>+	if (nlh->nlmsg_flags & NLM_F_DUMP_INTR)
>+		return MNL_CB_ERROR;
>+
> 	nft_set_elems_nlmsg_parse(nlh, data);
> 	return MNL_CB_OK;
> }


-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

Re: [PATCH nft] mnl: check for NLM_F_DUMP_INTR when dumping object lists

[Pablo Neira Ayuso]

On Sat, Jul 05, 2014 at 07:18:51PM +0200, Patrick McHardy wrote:
> On 4. Juli 2014 12:32:22 MESZ, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >This flag allows to detect that an update has ocurred while dumping
> >any of the object lists.
> >
> ><cmdline>:1:1-17: Error: Could not receive rules from kernel:
> >Interrupted system call
> >list table filter
> >^^^^^^^^^^^^^^^^^
> >
> >Basically, the user has to retry to make sure that it saves the current
> >rule-set.
> 
> Shouldn't we automatically handle this? Transient failure is really
> bad for many reasons.

OK, I'm going to extend this so it indefinitely retries until it
fetches the entire rule-set. Thanks Patrick.