[iptables-nftables - PATCH 0/2] fixes

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [iptables-nftables - PATCH 0/2] fixes
@ 2013-07-17  7:34 Tomasz Bursztyka
  2013-07-17  7:34 ` [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for Tomasz Bursztyka
  2013-07-17  7:34 ` [iptables-nftables - PATCH 2/2] nft: Fix code style issues Tomasz Bursztyka
  0 siblings, 2 replies; 7+ messages in thread
From: Tomasz Bursztyka @ 2013-07-17  7:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Tomasz Bursztyka

Hi,

First patch is in reply of my previous "[iptables-nftables - PATCH 3/9] nft: Refactor and optimize nft_rule_list"
Since there is no need to refactor anything anymore. And same fixe applies on rule save actually.

Second patch, well I am not found of "style" patches, but I am also annoyed by lines being way too long.
Your call Pablo, take that one or scrap it. 

Tomasz Bursztyka (2):
  nft: Optimize chain listing if only one is looked for
  nft: Fix code style issues

 iptables/nft.c | 94 ++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 62 insertions(+), 32 deletions(-)

-- 
1.8.2.1

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for
  2013-07-17  7:34 [iptables-nftables - PATCH 0/2] fixes Tomasz Bursztyka
@ 2013-07-17  7:34 ` Tomasz Bursztyka
  2013-07-17 13:40   ` Pablo Neira Ayuso
  2013-07-17  7:34 ` [iptables-nftables - PATCH 2/2] nft: Fix code style issues Tomasz Bursztyka
  1 sibling, 1 reply; 7+ messages in thread
From: Tomasz Bursztyka @ 2013-07-17  7:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Tomasz Bursztyka

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/iptables/nft.c b/iptables/nft.c
index f9a88c9..f33faa5 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2495,6 +2495,9 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 		}
 		__nft_rule_list(h, c, table, rulenum, format, print_firewall);
 
+		if (chain && strcmp(chain, chain_name) == 0)
+			break;
+
 		found = true;
 
 next:
@@ -2593,6 +2596,9 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
 
 		ret = __nft_rule_list(h, c, table, rulenum,
 				      counters ? 0 : FMT_NOCOUNTS, list_save);
+
+		if (chain && strcmp(chain, chain_name) != 0)
+			break;
 next:
 		c = nft_chain_list_iter_next(iter);
 	}
-- 
1.8.2.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for
  2013-07-17  7:34 ` [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for Tomasz Bursztyka
@ 2013-07-17 13:40   ` Pablo Neira Ayuso
  2013-07-18 11:10     ` Tomasz Bursztyka
  0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2013-07-17 13:40 UTC (permalink / raw)
  To: Tomasz Bursztyka; +Cc: netfilter-devel

Hi Tomasz,

On Wed, Jul 17, 2013 at 10:34:14AM +0300, Tomasz Bursztyka wrote:
> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
> ---
>  iptables/nft.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/iptables/nft.c b/iptables/nft.c
> index f9a88c9..f33faa5 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -2495,6 +2495,9 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
>  		}
>  		__nft_rule_list(h, c, table, rulenum, format, print_firewall);
>  
> +		if (chain && strcmp(chain, chain_name) == 0)
> +			break;
> +
>  		found = true;
>  
>  next:
> @@ -2593,6 +2596,9 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
>  
>  		ret = __nft_rule_list(h, c, table, rulenum,
>  				      counters ? 0 : FMT_NOCOUNTS, list_save);
> +
> +		if (chain && strcmp(chain, chain_name) != 0)

This should be == 0. There's the same checking above __nft_rule_list.

I noticed that we don't need to strcmp(chain, chain_name) again,
checking for chain is sufficient.

Pushed this patch, is based on yours:

http://git.netfilter.org/iptables-nftables/commit/?id=db6d43c979954b1a0e2a3d2d1fa4494c43d921c1

While at it, I also noticed that selective listing per chain with -S
was also broken, fixed here:

http://git.netfilter.org/iptables-nftables/commit/?id=eaa70f580a3e3b7675d75005ab71c00494a3ee6e

Regards.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for
  2013-07-17 13:40   ` Pablo Neira Ayuso
@ 2013-07-18 11:10     ` Tomasz Bursztyka
  0 siblings, 0 replies; 7+ messages in thread
From: Tomasz Bursztyka @ 2013-07-18 11:10 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

>> +		if (chain && strcmp(chain, chain_name) != 0)
> This should be == 0. There's the same checking above __nft_rule_list.
>
> I noticed that we don't need to strcmp(chain, chain_name) again,
> checking for chain is sufficient.

Indeed, was not really awaken. Thanks for fixing further.

Tomasz


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [iptables-nftables - PATCH 2/2] nft: Fix code style issues
  2013-07-17  7:34 [iptables-nftables - PATCH 0/2] fixes Tomasz Bursztyka
  2013-07-17  7:34 ` [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for Tomasz Bursztyka
@ 2013-07-17  7:34 ` Tomasz Bursztyka
  2013-07-17 13:47   ` Pablo Neira Ayuso
  1 sibling, 1 reply; 7+ messages in thread
From: Tomasz Bursztyka @ 2013-07-17  7:34 UTC (permalink / raw)
  To: netfilter-devel; +Cc: Tomasz Bursztyka

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 iptables/nft.c | 88 +++++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 56 insertions(+), 32 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index f33faa5..1004ec8 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -485,7 +485,8 @@ static void nft_chain_print_debug(struct nft_chain *c, struct nlmsghdr *nlh)
 
 	nft_chain_snprintf(tmp, sizeof(tmp), c, 0, 0);
 	printf("DEBUG: chain: %s", tmp);
-	mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg));
+	mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len,
+						sizeof(struct nfgenmsg));
 #endif
 }
 
@@ -560,7 +561,8 @@ static int __add_match(struct nft_rule_expr *e, struct xt_entry_match *m)
 {
 	void *info;
 
-	nft_rule_expr_set(e, NFT_EXPR_MT_NAME, m->u.user.name, strlen(m->u.user.name));
+	nft_rule_expr_set(e, NFT_EXPR_MT_NAME, m->u.user.name,
+						strlen(m->u.user.name));
 	nft_rule_expr_set_u32(e, NFT_EXPR_MT_REV, m->u.user.revision);
 
 	info = calloc(1, m->u.match_size);
@@ -568,7 +570,8 @@ static int __add_match(struct nft_rule_expr *e, struct xt_entry_match *m)
 		return -ENOMEM;
 
 	memcpy(info, m->data, m->u.match_size);
-	nft_rule_expr_set(e, NFT_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m));
+	nft_rule_expr_set(e, NFT_EXPR_MT_INFO,
+					info, m->u.match_size - sizeof(*m));
 
 	return 0;
 }
@@ -604,7 +607,8 @@ static int __add_target(struct nft_rule_expr *e, struct xt_entry_target *t)
 		memcpy(info, t->data, t->u.target_size);
 	}
 
-	nft_rule_expr_set(e, NFT_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t));
+	nft_rule_expr_set(e, NFT_EXPR_TG_INFO, info,
+						t->u.target_size - sizeof(*t));
 
 	return 0;
 }
@@ -662,7 +666,8 @@ static void nft_rule_print_debug(struct nft_rule *r, struct nlmsghdr *nlh)
 
 	nft_rule_snprintf(tmp, sizeof(tmp), r, 0, 0);
 	printf("DEBUG: rule: %s", tmp);
-	mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg));
+	mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len,
+					sizeof(struct nfgenmsg));
 #endif
 }
 
@@ -996,7 +1001,8 @@ nft_print_counters(struct nft_rule_expr *e, struct nft_rule_expr_iter *iter,
 }
 
 void
-nft_rule_print_save(struct nft_rule *r, enum nft_rule_print type, bool counters)
+nft_rule_print_save(struct nft_rule *r, enum nft_rule_print type,
+		    bool counters)
 {
 	struct nft_rule_expr_iter *iter;
 	struct nft_rule_expr *expr;
@@ -1115,8 +1121,8 @@ static void nft_chain_print_save(struct nft_chain *c, bool basechain)
 		if (nft_chain_attr_get(c, NFT_CHAIN_ATTR_POLICY))
 			pol = nft_chain_attr_get_u32(c, NFT_CHAIN_ATTR_POLICY);
 
-		printf(":%s %s [%"PRIu64":%"PRIu64"]\n", chain, policy_name[pol],
-					     pkts, bytes);
+		printf(":%s %s [%"PRIu64":%"PRIu64"]\n",
+					chain, policy_name[pol], pkts, bytes);
 	} else
 		printf(":%s - [%"PRIu64":%"PRIu64"]\n", chain, pkts, bytes);
 }
@@ -1316,7 +1322,8 @@ err:
 	return ret == 0 ? 1 : 0;
 }
 
-int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table)
+int nft_chain_user_add(struct nft_handle *h,
+		       const char *chain, const char *table)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
@@ -1368,7 +1375,8 @@ static int __nft_chain_del(struct nft_handle *h, struct nft_chain *c)
 	return ret;
 }
 
-int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table)
+int nft_chain_user_del(struct nft_handle *h,
+		       const char *chain, const char *table)
 {
 	struct nft_chain_list *list;
 	struct nft_chain_list_iter *iter;
@@ -1594,7 +1602,9 @@ err:
 }
 
 int nft_for_each_table(struct nft_handle *h,
-		       int (*func)(struct nft_handle *h, const char *tablename, bool counters),
+		       int (*func)(struct nft_handle *h,
+			           const char *tablename,
+				   bool counters),
 		       bool counters)
 {
 	int ret = 1;
@@ -1641,9 +1651,8 @@ int nft_table_purge_chains(struct nft_handle *h, const char *this_table,
 
 	chain_obj = nft_chain_list_iter_next(iter);
 	while (chain_obj != NULL) {
-		const char *table =
-			nft_chain_attr_get_str(chain_obj, NFT_CHAIN_ATTR_TABLE);
-
+		const char *table = nft_chain_attr_get_str(chain_obj,
+							NFT_CHAIN_ATTR_TABLE);
 		if (strcmp(this_table, table) != 0)
 			goto next;
 
@@ -1819,7 +1828,8 @@ __find_match(struct nft_rule_expr *expr, struct xtables_rule_match *matches)
 			continue;
 		}
 
-		if (memcmp(data, m->data, m->u.user.match_size - sizeof(*m)) != 0) {
+		if (memcmp(data, m->data,
+				m->u.user.match_size - sizeof(*m)) != 0) {
 			DEBUGP("mismatch match data\n");
 			continue;
 		}
@@ -1830,7 +1840,8 @@ __find_match(struct nft_rule_expr *expr, struct xtables_rule_match *matches)
 	return found;
 }
 
-static bool find_matches(struct xtables_rule_match *matches, struct nft_rule *r)
+static bool
+find_matches(struct xtables_rule_match *matches, struct nft_rule *r)
 {
 	struct nft_rule_expr_iter *iter;
 	struct nft_rule_expr *expr;
@@ -1862,7 +1873,8 @@ static bool find_matches(struct xtables_rule_match *matches, struct nft_rule *r)
 	return true;
 }
 
-static bool __find_target(struct nft_rule_expr *expr, struct xt_entry_target *t)
+static bool
+__find_target(struct nft_rule_expr *expr, struct xt_entry_target *t)
 {
 	size_t len;
 	const char *tgname = nft_rule_expr_get_str(expr, NFT_EXPR_TG_NAME);
@@ -1944,7 +1956,8 @@ find_immediate(struct nft_rule *r, const char *jumpto)
 			nft_rule_expr_get_str(expr, NFT_RULE_EXPR_ATTR_NAME);
 
 		if (strcmp(name, "immediate") == 0) {
-			int verdict = nft_rule_expr_get_u32(expr, NFT_EXPR_IMM_VERDICT);
+			int verdict = nft_rule_expr_get_u32(expr,
+							NFT_EXPR_IMM_VERDICT);
 			const char *verdict_name = NULL;
 
 			/* No target specified but immediate shows up, this
@@ -2189,8 +2202,8 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
 						 NFT_RULE_F_COMMIT);
 		}
 		ret = nft_rule_add(h, chain, table, cs, true,
-				   nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE),
-				   verbose);
+				nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE),
+				verbose);
 	} else
 		errno = ENOENT;
 
@@ -2473,8 +2486,10 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 		uint32_t refs =
 			nft_chain_attr_get_u32(c, NFT_CHAIN_ATTR_USE);
 		struct xt_counters ctrs = {
-			.pcnt = nft_chain_attr_get_u64(c, NFT_CHAIN_ATTR_PACKETS),
-			.bcnt = nft_chain_attr_get_u64(c, NFT_CHAIN_ATTR_BYTES),
+			.pcnt = nft_chain_attr_get_u64(c,
+						NFT_CHAIN_ATTR_PACKETS),
+			.bcnt = nft_chain_attr_get_u64(c,
+						NFT_CHAIN_ATTR_BYTES),
 		};
 		bool basechain = false;
 
@@ -2547,8 +2562,10 @@ nft_rule_list_chain_save(struct nft_handle *h, const char *table,
 
 			if (counters) {
 				printf(" -c %"PRIu64" %"PRIu64"\n",
-					nft_chain_attr_get_u64(c, NFT_CHAIN_ATTR_PACKETS),
-					nft_chain_attr_get_u64(c, NFT_CHAIN_ATTR_BYTES));
+					nft_chain_attr_get_u64(c,
+						NFT_CHAIN_ATTR_PACKETS),
+					nft_chain_attr_get_u64(c,
+						NFT_CHAIN_ATTR_BYTES));
 			} else
 				printf("\n");
 		} else {
@@ -2796,11 +2813,13 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 			if (errno == EEXIST) {
 				xtables_config_perror(flags,
 					"table `%s' already exists, skipping\n",
-					(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+					(char *)nft_table_attr_get(table,
+							NFT_TABLE_ATTR_NAME));
 			} else {
 				xtables_config_perror(flags,
 					"table `%s' cannot be create, reason `%s'. Exitting\n",
-					(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME),
+					(char *)nft_table_attr_get(table,
+							NFT_TABLE_ATTR_NAME),
 					strerror(errno));
 				nft_table_list_iter_destroy(titer);
 				nft_table_list_free(table_list);
@@ -2809,7 +2828,8 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 			continue;
 		}
 		xtables_config_perror(flags, "table `%s' has been created\n",
-			(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+			(char *)nft_table_attr_get(table,
+							NFT_TABLE_ATTR_NAME));
 	}
 	nft_table_list_iter_destroy(titer);
 	nft_table_list_free(table_list);
@@ -2821,12 +2841,15 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 			if (errno == EEXIST) {
 				xtables_config_perror(flags,
 					"chain `%s' already exists in table `%s', skipping\n",
-					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
-					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_TABLE));
+					(char *)nft_chain_attr_get(chain,
+							NFT_CHAIN_ATTR_NAME),
+					(char *)nft_chain_attr_get(chain,
+							NFT_CHAIN_ATTR_TABLE));
 			} else {
 				xtables_config_perror(flags,
 					"chain `%s' cannot be create, reason `%s'. Exitting\n",
-					(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
+					(char *)nft_chain_attr_get(chain,
+							NFT_CHAIN_ATTR_NAME),
 					strerror(errno));
 				nft_chain_list_iter_destroy(citer);
 				nft_chain_list_free(chain_list);
@@ -2838,7 +2861,8 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 		xtables_config_perror(flags,
 			"chain `%s' in table `%s' has been created\n",
 			(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_NAME),
-			(char *)nft_chain_attr_get(chain, NFT_CHAIN_ATTR_TABLE));
+			(char *)nft_chain_attr_get(chain,
+							NFT_CHAIN_ATTR_TABLE));
 	}
 	nft_chain_list_iter_destroy(citer);
 	nft_chain_list_free(chain_list);
@@ -2846,7 +2870,7 @@ int nft_xtables_config_load(struct nft_handle *h, const char *filename,
 	return 0;
 }
 
-int nft_chain_zero_counters(struct nft_handle *h, const char *chain, 
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
 			    const char *table)
 {
 	struct nft_chain_list *list;
-- 
1.8.2.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [iptables-nftables - PATCH 2/2] nft: Fix code style issues
  2013-07-17  7:34 ` [iptables-nftables - PATCH 2/2] nft: Fix code style issues Tomasz Bursztyka
@ 2013-07-17 13:47   ` Pablo Neira Ayuso
  2013-07-18 11:12     ` Tomasz Bursztyka
  0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2013-07-17 13:47 UTC (permalink / raw)
  To: Tomasz Bursztyka; +Cc: netfilter-devel

I don't feel like taking this at this moment.

I think many of those style adjustments could be fixed by splitting
functions into smaller chunks and with several helper functions
similar to your "nft: add function to test for a builtin chain" patch,
which I think is the way to go to get this code better.

We can also revisit this later if you don't want to work on this at
this moment.

Thanks for the patch in any case.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [iptables-nftables - PATCH 2/2] nft: Fix code style issues
  2013-07-17 13:47   ` Pablo Neira Ayuso
@ 2013-07-18 11:12     ` Tomasz Bursztyka
  0 siblings, 0 replies; 7+ messages in thread
From: Tomasz Bursztyka @ 2013-07-18 11:12 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Hi Pablo,

> I think many of those style adjustments could be fixed by splitting
> functions into smaller chunks and with several helper functions
> similar to your "nft: add function to test for a builtin chain" patch,
> which I think is the way to go to get this code better.
>
> We can also revisit this later if you don't want to work on this at
> this moment.

As this is not in a hurry, let's see yes.

Actually Giuseppe's work might help on that since he will move some of 
these common helpers to nft-shared.c (or a new nft-utils.c, let's see)

Tomasz

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2013-07-18 11:12 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-07-17  7:34 [iptables-nftables - PATCH 0/2] fixes Tomasz Bursztyka
2013-07-17  7:34 ` [iptables-nftables - PATCH 1/2] nft: Optimize chain listing if only one is looked for Tomasz Bursztyka
2013-07-17 13:40   ` Pablo Neira Ayuso
2013-07-18 11:10     ` Tomasz Bursztyka
2013-07-17  7:34 ` [iptables-nftables - PATCH 2/2] nft: Fix code style issues Tomasz Bursztyka
2013-07-17 13:47   ` Pablo Neira Ayuso
2013-07-18 11:12     ` Tomasz Bursztyka

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).