From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Jan Palus <atler@pld-linux.org>
Subject: [iptables PATCH] nft: move processing logic out of asserts
Date: Thu, 3 Aug 2023 16:47:53 +0200 [thread overview]
Message-ID: <20230803144753.27070-1-phil@nwl.cc> (raw)
From: Jan Palus <atler@pld-linux.org>
[Phil: Introduce assert_nft_restart() to keep things clean, also add
fallback returns to nft_action() and nft_prepare(), sanitizing
things at least a bit.]
Signed-off-by: Jan Palus <atler@pld-linux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-cache.c | 16 ++++++++++++----
iptables/nft.c | 7 +++++--
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index fabb577903f28..91d296709b9de 100644
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -26,6 +26,14 @@
#include "nft-cache.h"
#include "nft-chain.h"
+/* users may define NDEBUG */
+static void assert_nft_restart(struct nft_handle *h)
+{
+ int rc = nft_restart(h);
+
+ assert(rc >= 0);
+}
+
static void cache_chain_list_insert(struct list_head *list, const char *name)
{
struct cache_chain *pos = NULL, *new;
@@ -147,7 +155,7 @@ static int fetch_table_cache(struct nft_handle *h)
ret = mnl_talk(h, nlh, nftnl_table_list_cb, h);
if (ret < 0 && errno == EINTR)
- assert(nft_restart(h) >= 0);
+ assert_nft_restart(h);
for (i = 0; i < NFT_TABLE_MAX; i++) {
enum nft_table_type type = h->tables[i].type;
@@ -472,7 +480,7 @@ static int fetch_set_cache(struct nft_handle *h,
ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
if (ret < 0 && errno == EINTR) {
- assert(nft_restart(h) >= 0);
+ assert_nft_restart(h);
return ret;
}
@@ -512,7 +520,7 @@ static int __fetch_chain_cache(struct nft_handle *h,
ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
if (ret < 0 && errno == EINTR)
- assert(nft_restart(h) >= 0);
+ assert_nft_restart(h);
return ret;
}
@@ -606,7 +614,7 @@ static int nft_rule_list_update(struct nft_chain *nc, void *data)
ret = mnl_talk(h, nlh, nftnl_rule_list_cb, &rld);
if (ret < 0 && errno == EINTR)
- assert(nft_restart(h) >= 0);
+ assert_nft_restart(h);
nftnl_rule_free(rule);
diff --git a/iptables/nft.c b/iptables/nft.c
index b702c65ae49aa..326dc20b21d65 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -109,7 +109,9 @@ static struct nftnl_batch *mnl_batch_init(void)
static void mnl_nft_batch_continue(struct nftnl_batch *batch)
{
- assert(nftnl_batch_update(batch) >= 0);
+ int ret = nftnl_batch_update(batch);
+
+ assert(ret >= 0);
}
static uint32_t mnl_batch_begin(struct nftnl_batch *batch, uint32_t genid, uint32_t seqnum)
@@ -3227,6 +3229,7 @@ static int nft_action(struct nft_handle *h, int action)
case NFT_COMPAT_RULE_ZERO:
case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
assert(0);
+ return 0;
}
mnl_nft_batch_continue(h->batch);
@@ -3504,7 +3507,7 @@ static int nft_prepare(struct nft_handle *h)
case NFT_COMPAT_TABLE_ADD:
case NFT_COMPAT_CHAIN_ADD:
assert(0);
- break;
+ return 0;
}
nft_cmd_free(cmd);
--
2.40.0
next reply other threads:[~2023-08-03 14:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-03 14:47 Phil Sutter [this message]
2023-08-04 23:42 ` [iptables PATCH] nft: move processing logic out of asserts Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230803144753.27070-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=atler@pld-linux.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).