diff mbox

[PATH,nft,v2,05/18] libnftables: add nft_run_command_from_buffer

Message ID 20170824154924.GA24860@salvia
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Pablo Neira Ayuso Aug. 24, 2017, 3:49 p.m. UTC 
Attaching a revamped version, it is collapsing your patch 5 and 6.

We still have to agree on what to do with the netlink socket. I know
you don't want to open it from the client side.

The only way I find to do this is to - yick - add a flag to
nft_ctx_new().

Comments

Eric Leblond Aug. 25, 2017, 11:26 a.m. UTC | #1 
Hi,

On Thu, 2017-08-24 at 17:49 +0200, Pablo Neira Ayuso wrote:
> Attaching a revamped version, it is collapsing your patch 5 and 6.
> 
> We still have to agree on what to do with the netlink socket. I know
> you don't want to open it from the client side.
> 
> The only way I find to do this is to - yick - add a flag to
> nft_ctx_new().

Agree with the flag idea. This will add a minimum flexibility to the
structure creation.

Regarding the patch, I'm good with it.

Acked-by: Eric Leblond <eric@regit.org>

++
diff mbox

Patch

From d9583a782e96d4c2310c00b4cb6a511b2bd99471 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Thu, 24 Aug 2017 17:46:01 +0200
Subject: [PATCH] src: add nft_run_cmd_*() functions

Add new function to read nftables command from a file and buffer, that
we can expose as library.

Joint work with Pablo Neira.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/main.c | 74 +++++++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 54 insertions(+), 20 deletions(-)

diff --git a/src/main.c b/src/main.c
index 1b986ae4ed12..0cad4d2412e8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -300,6 +300,58 @@  static void nft_ctx_free(const struct nft_ctx *ctx)
 	xfree(ctx);
 }
 
+static int nft_run_cmd_from_buffer(struct nft_ctx *nft,
+				   struct mnl_socket *nf_sock,
+				   char *buf, size_t buflen)
+{
+	int rc = NFT_EXIT_SUCCESS;
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+
+	parser_init(nf_sock, &nft->cache, &state, &msgs, nft->debug_mask);
+	scanner = scanner_init(&state);
+	scanner_push_buffer(scanner, &indesc_cmdline, buf);
+
+	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs, nft->debug_mask);
+	cache_release(&nft->cache);
+
+	return rc;
+}
+
+static int nft_run_cmd_from_filename(struct nft_ctx *nft,
+				     struct mnl_socket *nf_sock,
+				     const char *filename)
+{
+	struct parser_state state;
+	LIST_HEAD(msgs);
+	void *scanner;
+	int rc;
+
+	rc = cache_update(nf_sock, &nft->cache, CMD_INVALID, &msgs,
+			  nft->debug_mask);
+	if (rc < 0)
+		return NFT_EXIT_FAILURE;
+
+	parser_init(nf_sock, &nft->cache, &state, &msgs, nft->debug_mask);
+	scanner = scanner_init(&state);
+	if (scanner_read_file(scanner, filename, &internal_location) < 0)
+		goto err;
+
+	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
+		rc = NFT_EXIT_FAILURE;
+err:
+	scanner_destroy(scanner);
+	erec_print_list(stderr, &msgs, nft->debug_mask);
+	cache_release(&nft->cache);
+
+	return rc;
+}
+
 int main(int argc, char * const *argv)
 {
 	struct parser_state state;
@@ -410,21 +462,9 @@  int main(int argc, char * const *argv)
 				strcat(buf, " ");
 		}
 		strcat(buf, "\n");
-		parser_init(nf_sock, &nft->cache, &state, &msgs,
-			    nft->debug_mask);
-		scanner = scanner_init(&state);
-		scanner_push_buffer(scanner, &indesc_cmdline, buf);
+		rc = nft_run_cmd_from_buffer(nft, nf_sock, buf, len + 2);
 	} else if (filename != NULL) {
-		rc = cache_update(nf_sock, &nft->cache, CMD_INVALID, &msgs,
-				  nft->debug_mask);
-		if (rc < 0)
-			return rc;
-
-		parser_init(nf_sock, &nft->cache, &state, &msgs,
-			    nft->debug_mask);
-		scanner = scanner_init(&state);
-		if (scanner_read_file(scanner, filename, &internal_location) < 0)
-			goto out;
+		rc = nft_run_cmd_from_filename(nft, nf_sock, filename);
 	} else if (interactive) {
 		if (cli_init(nft, nf_sock, &state) < 0) {
 			fprintf(stderr, "%s: interactive CLI not supported in this build\n",
@@ -437,13 +477,7 @@  int main(int argc, char * const *argv)
 		exit(NFT_EXIT_FAILURE);
 	}
 
-	if (nft_run(nft, nf_sock, scanner, &state, &msgs) != 0)
-		rc = NFT_EXIT_FAILURE;
-out:
-	scanner_destroy(scanner);
-	erec_print_list(stderr, &msgs, nft->debug_mask);
 	xfree(buf);
-	cache_release(&nft->cache);
 	iface_cache_release();
 	netlink_close_sock(nf_sock);
 	nft_ctx_free(nft);
-- 
2.1.4