[iptables-compat,1/3] iptables-compat: remove non-batching routines

Message ID	20180504094920.23853-1-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 5899F41825E1 for <netfilter-devel@vger.kernel.org>; Fri, 4 May 2018 11:48:38 +0200 (CEST) From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Subject: [PATCH iptables-compat 1/3] iptables-compat: remove non-batching routines Date: Fri, 4 May 2018 11:49:18 +0200 Message-Id: <20180504094920.23853-1-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[iptables-compat,1/3] iptables-compat: remove non-batching routines \| expand [iptables-compat,1/3] iptables-compat: remove non-batching routines [iptables-compat,2/3] iptables-compat: do not fail on restore if user chain exists [iptables-compat,3/3] iptables-compat: chains are purge out already from table flush

diff --git a/iptables/nft.c b/iptables/nft.c index e7cb827bb132..e60923d6ecbf 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -517,30 +517,6 @@ struct builtin_table xtables_bridge[TABLES_MAX] = { }, }; -int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - int ret; - - nlh = nftnl_table_nlmsg_build_hdr(buf, NFT_MSG_NEWTABLE, h->family, - NLM_F_ACK|flags, h->seq); - nftnl_table_nlmsg_build_payload(nlh, t); - nftnl_table_free(t); - -#ifdef NLDEBUG - char tmp[1024]; - - nft_table_snprintf(tmp, sizeof(tmp), t, 0, 0); - printf("DEBUG: table: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif - - ret = mnl_talk(h, nlh, NULL, NULL); - - return (ret == 0 || (ret == -1 && errno == EEXIST)) ? 0 : -1; -} - static int nft_table_builtin_add(struct nft_handle *h, struct builtin_table *_t) { @@ -556,10 +532,7 @@ static int nft_table_builtin_add(struct nft_handle *h, nftnl_table_set(t, NFTNL_TABLE_NAME, (char *)_t->name); - if (h->batch_support) - ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t); - else - ret = nft_table_add(h, t, NLM_F_EXCL); + ret = batch_table_add(h, NFT_COMPAT_TABLE_ADD, t); if (ret == 0) _t->initialized = true; @@ -587,29 +560,6 @@ nft_chain_builtin_alloc(struct builtin_table *table, return c; } -int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - - /* NLM_F_CREATE requests module autoloading */ - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, h->family, - NLM_F_ACK|flags|NLM_F_CREATE, - h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - nftnl_chain_free(c); - -#ifdef NLDEBUG - char tmp[1024]; - - nft_chain_snprintf(tmp, sizeof(tmp), c, 0, 0); - printf("DEBUG: chain: %s\n", tmp); - mnl_nlmsg_fprintf(stdout, nlh, nlh->nlmsg_len, sizeof(struct nfgenmsg)); -#endif - - return mnl_talk(h, nlh, NULL, NULL); -} - static void nft_chain_builtin_add(struct nft_handle *h, struct builtin_table *table, struct builtin_chain *chain) @@ -620,10 +570,7 @@ static void nft_chain_builtin_add(struct nft_handle *h, if (c == NULL) return; - if (h->batch_support) - batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); - else - nft_chain_add(h, c, NLM_F_EXCL); + batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); } /* find if built-in table already exists */ @@ -713,49 +660,6 @@ static bool nft_chain_builtin(struct nftnl_chain *c) return nftnl_chain_get(c, NFTNL_CHAIN_HOOKNUM) != NULL; } -static bool mnl_batch_supported(struct nft_handle *h) -{ - char buf[MNL_SOCKET_BUFFER_SIZE]; - uint32_t seq = 1; - int ret; - - mnl_nftnl_batch_begin(h->batch, seq++); - - nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(h->batch), - NFT_MSG_NEWSET, AF_INET, - NLM_F_ACK, seq++); - mnl_nlmsg_batch_next(h->batch); - - mnl_nftnl_batch_end(h->batch, seq++); - - ret = mnl_socket_sendto(h->nl, mnl_nlmsg_batch_head(h->batch), - mnl_nlmsg_batch_size(h->batch)); - if (ret < 0) - goto err; - - mnl_nlmsg_batch_reset(h->batch); - - ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf)); - while (ret > 0) { - ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(h->nl), - NULL, NULL); - if (ret <= 0) - break; - - ret = mnl_socket_recvfrom(h->nl, buf, sizeof(buf)); - } - - /* We're sending an incomplete message to see if the kernel supports - * set messages in batches. EINVAL means that we sent an incomplete - * message with missing attributes. The kernel just ignores messages - * that we cannot include in the batch. - */ - return (ret == -1 && errno == EINVAL) ? true : false; -err: - mnl_nlmsg_batch_reset(h->batch); - return ret; -} - static int nft_restart(struct nft_handle *h) { mnl_socket_close(h->nl); @@ -789,7 +693,6 @@ int nft_init(struct nft_handle *h, struct builtin_table *t) INIT_LIST_HEAD(&h->obj_list); h->batch = mnl_nftnl_batch_alloc(); - h->batch_support = mnl_batch_supported(h); return 0; } @@ -874,10 +777,7 @@ int nft_chain_set(struct nft_handle *h, const char *table, if (c == NULL) return 0; - if (h->batch_support) - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_UPDATE, c); - else - ret = nft_chain_add(h, c, 0); + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_UPDATE, c); /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; @@ -1466,19 +1366,7 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl nftnl_chain_set(c, NFTNL_CHAIN_TABLE, (char *)table); nftnl_chain_set(c, NFTNL_CHAIN_NAME, (char *)chain); - if (h->batch_support) { - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); - } else { - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, - h->family, - NLM_F_ACK|NLM_F_EXCL, h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - nftnl_chain_free(c); - ret = mnl_talk(h, nlh, NULL, NULL); - } + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_ADD, c); /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; @@ -1534,10 +1422,7 @@ int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *tabl if (chain != NULL && strcmp(chain, chain_name) != 0) goto next; - if (h->batch_support) - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c); - else - ret = __nft_chain_del(h, c); + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_DEL, c); if (ret < 0) break; @@ -1552,8 +1437,6 @@ next: nftnl_chain_list_iter_destroy(iter); err: - if (!h->batch_support) - nftnl_chain_list_free(list); /* chain not found */ if (deleted_ctr == 0) { @@ -1643,19 +1526,7 @@ int nft_chain_user_rename(struct nft_handle *h,const char *chain, nftnl_chain_set(c, NFTNL_CHAIN_NAME, (char *)newname); nftnl_chain_set_u64(c, NFTNL_CHAIN_HANDLE, handle); - if (h->batch_support) { - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_RENAME, c); - } else { - char buf[MNL_SOCKET_BUFFER_SIZE]; - struct nlmsghdr *nlh; - - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, - h->family, NLM_F_ACK, h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - nftnl_chain_free(c); - - ret = mnl_talk(h, nlh, NULL, NULL); - } + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_RENAME, c); /* the core expects 1 for success and 0 for error */ return ret == 0 ? 1 : 0; @@ -2733,18 +2604,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain, nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE); - if (h->batch_support) { - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); - } else { - struct nlmsghdr *nlh; - char buf[MNL_SOCKET_BUFFER_SIZE]; - - nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, - h->family, NLM_F_ACK, - h->seq); - nftnl_chain_nlmsg_build_payload(nlh, c); - ret = mnl_talk(h, nlh, NULL, NULL); - } + ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); if (chain != NULL) break; @@ -2752,9 +2612,6 @@ next: c = nftnl_chain_list_iter_next(iter); } - if (!h->batch_support) - nftnl_chain_list_free(list); - nftnl_chain_list_iter_destroy(iter); err: diff --git a/iptables/nft.h b/iptables/nft.h index 310cedeca730..aaf3cbe0c0e3 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -37,7 +37,6 @@ struct nft_handle { struct builtin_table *tables; struct nftnl_rule_list *rule_cache; bool restore; - bool batch_support; }; extern struct builtin_table xtables_ipv4[TABLES_MAX]; @@ -56,7 +55,6 @@ void nft_fini(struct nft_handle *h); struct nftnl_table; struct nftnl_chain_list; -int nft_table_add(struct nft_handle *h, struct nftnl_table *t, uint16_t flags); int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, const char *tablename, bool counters), bool counters); bool nft_table_find(struct nft_handle *h, const char *tablename); int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list); @@ -66,7 +64,6 @@ int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl */ struct nftnl_chain; -int nft_chain_add(struct nft_handle *h, struct nftnl_chain *c, uint16_t flags); int nft_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); struct nftnl_chain_list *nft_chain_dump(struct nft_handle *h); struct nftnl_chain *nft_chain_list_find(struct nftnl_chain_list *list, const char *table, const char *chain);

[iptables-compat,1/3] iptables-compat: remove non-batching routines

Commit Message

Patch