[PATCH nft 0/2] nft include path updates

[PATCH nft 0/2] nft include path updates

[Pablo Neira Ayuso]

Hi,

This patchset updates include path logic of nftables:

Patch #1 adds -f/--filename base directory as implicit include path,
         so users do not need to add a redundant -I/--includepath
         such as:

  # nft -I /path/to/files -f /path/to/files/ruleset.nft

Patch #2 searches for default include path last so users have a way
         to override the default include path either via -I/--includepath
         or the implicit include path added by Patch #1

  For instance, assuming you have:

  # cat /path/to/files/ruleset.nft
    include "file1.nft"
    include "file2.nft"
  # ls /path/to/files/
    file1.nft file2.nft

  then, make a copy of the ruleset:

  # mkdir update
  # cp -r /path/to/files/* update
  # vim update/file1.nft
  ...
      file edit goes here
  ...
  # nft -f copy/ruleset.nft

Comments welcome, thanks.

Pablo Neira Ayuso (2):
  libnftables: add base directory of -f/--filename to include path
  libnftables: search for default include path last

 doc/nft.txt       |  2 ++
 src/libnftables.c | 19 +++++++++++++-
 src/scanner.l     | 63 ++++++++++++++++++++++++++++++-----------------
 3 files changed, 61 insertions(+), 23 deletions(-)

--
2.30.2

[PATCH nft 1/2] libnftables: add base directory of -f/--filename to include path

[Pablo Neira Ayuso]

This patch adds an include path relative to the current (the including)
file's directory.

Users of -f/--filename have to explicitly specify -I with a redundant
path to find included files in the main file, eg.

 # nft -I /path/to/files -f /path/to/files/ruleset.nft

Assuming:

 # cat /path/to/files/ruleset.nft
 include "file1.nft"
 include "file2.nft"
 include "file3.nft"

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1661
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 doc/nft.txt       |  2 ++
 src/libnftables.c | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/doc/nft.txt b/doc/nft.txt
index e4eb982e75af..3f4593a29831 100644
--- a/doc/nft.txt
+++ b/doc/nft.txt
@@ -43,6 +43,8 @@ understanding of their meaning. You can get information about options by running
 *-f*::
 *--file 'filename'*::
 	Read input from 'filename'. If 'filename' is -, read from stdin.
+	The directory path to this file is inserted at the beginning the list of
+	directories to be searched for included files (see *-I/--includepath*).
 
 *-D*::
 *--define 'name=value'*::
diff --git a/src/libnftables.c b/src/libnftables.c
index 0dee1bacb0db..40e37bdf8c06 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -17,6 +17,7 @@
 #include <cmd.h>
 #include <errno.h>
 #include <sys/stat.h>
+#include <libgen.h>
 
 static int nft_netlink(struct nft_ctx *nft,
 		       struct list_head *cmds, struct list_head *msgs)
@@ -786,6 +787,19 @@ static int nft_run_optimized_file(struct nft_ctx *nft, const char *filename)
 	return __nft_run_cmd_from_filename(nft, filename);
 }
 
+static int nft_ctx_add_basedir_include_path(struct nft_ctx *nft,
+					    const char *filename)
+{
+	const char *basedir = dirname(xstrdup(filename));
+	int ret;
+
+	ret = nft_ctx_add_include_path(nft, basedir);
+
+	free_const(basedir);
+
+	return ret;
+}
+
 EXPORT_SYMBOL(nft_run_cmd_from_filename);
 int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
 {
@@ -798,6 +812,10 @@ int nft_run_cmd_from_filename(struct nft_ctx *nft, const char *filename)
 	    !nft_output_json(&nft->output))
 		nft->stdin_buf = stdin_to_buffer();
 
+	if (!nft->stdin_buf &&
+	    nft_ctx_add_basedir_include_path(nft, filename) < 0)
+		return -1;
+
 	if (nft->optimize_flags) {
 		ret = nft_run_optimized_file(nft, filename);
 		free_const(nft->stdin_buf);
-- 
2.30.2

[PATCH nft 2/2] libnftables: search for default include path last

[Pablo Neira Ayuso]

The default include path is searched for files before include paths
specified via -I/--include.

Search for default include path after user-specified include paths to
allow users for test nftables configurations spanning multiple files
without overwriting the globally installed ones.

See:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220627222304.93139-1-dxld@darkboxed.org/

Reported-by: Daniel Gröber <dxld@darkboxed.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/libnftables.c |  1 -
 src/scanner.l     | 63 ++++++++++++++++++++++++++++++-----------------
 2 files changed, 41 insertions(+), 23 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index 40e37bdf8c06..af4734c05004 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -202,7 +202,6 @@ struct nft_ctx *nft_ctx_new(uint32_t flags)
 	nft_init(ctx);
 
 	ctx->state = xzalloc(sizeof(struct parser_state));
-	nft_ctx_add_include_path(ctx, DEFAULT_INCLUDE_PATH);
 	ctx->parser_max_errors	= 10;
 	cache_init(&ctx->cache.table_cache);
 	ctx->top_scope = scope_alloc();
diff --git a/src/scanner.l b/src/scanner.l
index 96c505bcdd48..c825fa79cfd9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -1175,39 +1175,58 @@ static bool search_in_include_path(const char *filename)
 		filename[0] != '/');
 }
 
+static int include_path_glob(struct nft_ctx *nft, void *scanner,
+			     const char *include_path, const char *filename,
+			     const struct location *loc)
+{
+	struct parser_state *state = yyget_extra(scanner);
+	struct error_record *erec;
+	char buf[PATH_MAX];
+	int ret;
+
+	ret = snprintf(buf, sizeof(buf), "%s/%s", include_path, filename);
+	if (ret < 0 || ret >= PATH_MAX) {
+		erec = error(loc, "Too long file path \"%s/%s\"\n",
+			     include_path, filename);
+		erec_queue(erec, state->msgs);
+		return -1;
+	}
+
+	ret = include_glob(nft, scanner, buf, loc);
+
+	/* error was already handled */
+	if (ret == -1)
+		return -1;
+	/* no wildcards and file was processed: break early. */
+	if (ret == 0)
+		return 0;
+
+	/* else 1 (no wildcards) or 2 (wildcards): keep
+	 * searching.
+	 */
+	return ret;
+}
+
 int scanner_include_file(struct nft_ctx *nft, void *scanner,
 			 const char *filename, const struct location *loc)
 {
 	struct parser_state *state = yyget_extra(scanner);
 	struct error_record *erec;
-	char buf[PATH_MAX];
 	unsigned int i;
 	int ret = -1;
 
 	if (search_in_include_path(filename)) {
 		for (i = 0; i < nft->num_include_paths; i++) {
-			ret = snprintf(buf, sizeof(buf), "%s/%s",
-				       nft->include_paths[i], filename);
-			if (ret < 0 || ret >= PATH_MAX) {
-				erec = error(loc, "Too long file path \"%s/%s\"\n",
-					     nft->include_paths[i], filename);
-				erec_queue(erec, state->msgs);
-				return -1;
-			}
-
-			ret = include_glob(nft, scanner, buf, loc);
-
-			/* error was already handled */
-			if (ret == -1)
-				return -1;
-			/* no wildcards and file was processed: break early. */
-			if (ret == 0)
-				return 0;
-
-			/* else 1 (no wildcards) or 2 (wildcards): keep
-			 * searching.
-			 */
+			ret = include_path_glob(nft, scanner,
+						nft->include_paths[i],
+						filename, loc);
+			if (ret <= 0)
+				return ret;
 		}
+		ret = include_path_glob(nft, scanner, DEFAULT_INCLUDE_PATH,
+					filename, loc);
+		if (ret <= 0)
+			return ret;
 	} else {
 		/* an absolute path (starts with '/') */
 		ret = include_glob(nft, scanner, filename, loc);
-- 
2.30.2