From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [nft PATCH 2/3] src/evaluate.c: improve rule management checks
Date: Wed, 23 Mar 2016 17:08:34 +0100 [thread overview]
Message-ID: <20160323160834.GA6981@salvia> (raw)
In-Reply-To: <145873749855.10004.10666252455830923605.stgit@nfdev2.cica.es>
[-- Attachment #1: Type: text/plain, Size: 956 bytes --]
On Wed, Mar 23, 2016 at 01:51:38PM +0100, Arturo Borrero Gonzalez wrote:
> Improve checks (and error reporting) for basic rule management operations.
>
> This includes a fix for netfilter bug #965.
Thanks for working on this.
With a bit more work we can achieve better error reporting:
# nft insert rule x y handle 10 position 10 ip saddr 1.1.1.1
<cmdline>:1:17-25: Error: Wrong combination, use `position' instead
insert rule x y handle 10 position 10 ip saddr 1.1.1.1
^^^^^^^^^ ~~~~~~~~~~~
# nft insert rule x y handle 10 ip saddr 1.1.1.1
<cmdline>:1:17-25: Error: Cannot use this, use `position' instead
insert rule x y handle 10 ip saddr 1.1.1.1
^^^^^^^^^
You will need to rework this patch applying this patch in first place:
http://patchwork.ozlabs.org/patch/601270/
I'm also attaching a quick patch for the two examples, but remaining
spots are left unchanges. Please feel free to follow up on this.
Thanks.
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 2935 bytes --]
diff --git a/src/evaluate.c b/src/evaluate.c
index 473f014..db89a0f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -65,6 +65,12 @@ static int __fmtstring(4, 5) __stmt_binary_error(struct eval_ctx *ctx,
__stmt_binary_error(ctx, &(s1)->location, NULL, fmt, ## args)
#define cmd_error(ctx, fmt, args...) \
__stmt_binary_error(ctx, &(ctx->cmd)->location, NULL, fmt, ## args)
+#define handle_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.handle.location, NULL, fmt, ## args)
+#define position_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.position.location, NULL, fmt, ## args)
+#define handle_position_error(ctx, fmt, args...) \
+ __stmt_binary_error(ctx, &ctx->cmd->handle.handle.location, &ctx->cmd->handle.position.location, fmt, ## args)
static int __fmtstring(3, 4) set_error(struct eval_ctx *ctx,
const struct set *set,
@@ -2160,11 +2166,61 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
return 0;
}
+static int rule_evaluate_cmd(struct eval_ctx *ctx)
+{
+ struct handle *handle = &ctx->cmd->handle;
+
+ /* allowed:
+ * - insert [position] (no handle)
+ * - add [position] (no handle)
+ * - replace <handle> (no position)
+ * - delete <handle> (no position)
+ */
+
+ switch (ctx->cmd->op) {
+ case CMD_INSERT:
+ if (handle->handle.id && handle->position.id)
+ return handle_position_error(ctx, "Wrong combination, use `position' instead");
+
+ if (handle->handle.id != 0)
+ return handle_error(ctx, "Cannot use this, use `position' instead");
+ break;
+ case CMD_ADD:
+ if (handle->handle.id != 0)
+ return cmd_error(ctx, "Could not add rule: handle not "
+ "allowed.");
+ break;
+ case CMD_REPLACE:
+ if (handle->position.id != 0)
+ return cmd_error(ctx, "Could not replace rule: "
+ "position not allowed.");
+ if (handle->handle.id == 0)
+ return cmd_error(ctx, "Could not replace rule: missing"
+ " handle.");
+ break;
+ case CMD_DELETE:
+ if (handle->position.id != 0)
+ return cmd_error(ctx, "Could not delete rule: position"
+ " not allowed.");
+ if (handle->handle.id == 0)
+ return cmd_error(ctx, "Could not delete rule: missing "
+ "handle.");
+ break;
+ default:
+ BUG("unkown command type %u\n", ctx->cmd->op);
+ }
+
+ return 0;
+}
+
static int rule_evaluate(struct eval_ctx *ctx, struct rule *rule)
{
struct stmt *stmt, *tstmt = NULL;
struct error_record *erec;
+ if (rule_evaluate_cmd(ctx) < 0)
+ return -1;
+
proto_ctx_init(&ctx->pctx, rule->handle.family);
memset(&ctx->ectx, 0, sizeof(ctx->ectx));
@@ -2345,8 +2401,11 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
return ret;
return setelem_evaluate(ctx, &cmd->expr);
- case CMD_OBJ_SET:
case CMD_OBJ_RULE:
+ if (rule_evaluate_cmd(ctx) < 0)
+ return -1;
+ /* fall through */
+ case CMD_OBJ_SET:
case CMD_OBJ_CHAIN:
case CMD_OBJ_TABLE:
return 0;
next prev parent reply other threads:[~2016-03-23 16:08 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-23 12:51 [nft PATCH 1/3] src/rule.c: don't print trailing statement whitespace Arturo Borrero Gonzalez
2016-03-23 12:51 ` [nft PATCH 2/3] src/evaluate.c: improve rule management checks Arturo Borrero Gonzalez
2016-03-23 16:08 ` Pablo Neira Ayuso [this message]
2016-03-28 11:32 ` Arturo Borrero Gonzalez
2016-04-07 16:39 ` Pablo Neira Ayuso
2016-03-23 12:51 ` [nft PATCH 3/3] tests/shell: add testcases for Netfilter bug #965 Arturo Borrero Gonzalez
2016-04-12 23:29 ` Pablo Neira Ayuso
2016-03-29 11:17 ` [nft PATCH 1/3] src/rule.c: don't print trailing statement whitespace Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160323160834.GA6981@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).