diff mbox series

firewall3: remove unnecessary fw3_has_table

Message ID 20210610045106.285820-1-wlooi@ucalgary.ca
State New
Headers show
Series firewall3: remove unnecessary fw3_has_table | expand

Commit Message

Wenli Looi June 10, 2021, 4:51 a.m. UTC
Given that firewall3 already skips the table when fw3_ipt_open fails,
there is no need for fw3_has_table.

Furthermore, /proc/net/ip_tables_names is not reliable under linux
containers (e.g. Docker/LXC/LXD). This patch will remove the need for
existing hacks required for OpenWrt to run on those platforms.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
---
Additional comments:

Under linux containers, I believe /proc/net/ip_tables_names does not
contain the name of a table until it is accessed at least once.

This patch makes firewall3 consistent with the iptables command, which
fully works under linux containers and will output "Table does not
exist" when iptc_init/ip6tc_init returns ENOENT.

Examples of existing hacks required to run OpenWrt on those platforms:

LXC: https://github.com/openwrt/openwrt/pull/2525
LXD: https://github.com/cvmiller/openwrt-lxd/blob/bc09dc7ebf4f2904a9b717ed8a8a4065b5f8aaa5/init.sh#L67
Docker: https://github.com/oofnikj/docker-openwrt/commit/a4f19bbbe1932e3b36690eb9ed75a273287120e3

I've tested this patch on LXD and firewall3 appears to work without the
above hack.

 main.c  | 15 ---------------
 utils.c |  9 ---------
 utils.h |  2 --
 3 files changed, 26 deletions(-)
diff mbox series

Patch

diff --git a/main.c b/main.c
index 7ad00b4..7deb636 100644
--- a/main.c
+++ b/main.c
@@ -195,9 +195,6 @@  stop(bool complete)
 
 		for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
 		{
-			if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
-				continue;
-
 			if (!(handle = fw3_ipt_open(family, table)))
 				continue;
 
@@ -268,9 +265,6 @@  start(void)
 
 		for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
 		{
-			if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
-				continue;
-
 			if (!(handle = fw3_ipt_open(family, table)))
 				continue;
 
@@ -339,9 +333,6 @@  reload(void)
 
 		for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
 		{
-			if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
-				continue;
-
 			if (!(handle = fw3_ipt_open(family, table)))
 				continue;
 
@@ -368,9 +359,6 @@  start:
 
 		for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
 		{
-			if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
-				continue;
-
 			if (!(handle = fw3_ipt_open(family, table)))
 				continue;
 
@@ -426,9 +414,6 @@  gc(void)
 
 		for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
 		{
-			if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
-				continue;
-
 			if (!(handle = fw3_ipt_open(family, table)))
 				continue;
 
diff --git a/utils.c b/utils.c
index 17d5bf9..36897b0 100644
--- a/utils.c
+++ b/utils.c
@@ -339,15 +339,6 @@  file_contains(const char *path, const char *str)
 	return seen;
 }
 
-bool
-fw3_has_table(const bool ipv6, const char *table)
-{
-	const char *path = ipv6
-		? "/proc/net/ip6_tables_names" : "/proc/net/ip_tables_names";
-
-	return file_contains(path, table);
-}
-
 bool
 fw3_has_target(const bool ipv6, const char *target)
 {
diff --git a/utils.h b/utils.h
index 884907d..5b17a2d 100644
--- a/utils.h
+++ b/utils.h
@@ -102,8 +102,6 @@  void fw3_command_close(void);
 void fw3_pr(const char *fmt, ...)
 	__attribute__ ((format (printf, 1, 2)));
 
-bool fw3_has_table(const bool ipv6, const char *table);
-
 bool fw3_has_target(const bool ipv6, const char *target);
 
 bool fw3_lock(void);