git.ipfire.org Git - thirdparty/nftables.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 31 Jul 2024 16:51:01 +0000 (18:51 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 1 Sep 2025 20:47:56 +0000 (22:47 +0200)
commit	d2ed2a42acdd20c74bb13de73f924ad719937fc6
tree	d842fe1c95d9e578eea76ab0343fb8b572e52007	tree \| snapshot
parent	d07b4c8af3495ed94f704b6188d82f1427ea544b	commit \| diff

src: mnl: clean up hook listing code

commit af712117df54d8620ed046d19a37ee62516d5f38 upstream.

mnl_nft_dump_nf_hooks() can call itself for the UNSPEC case, this
avoids the second switch/case to handle printing for inet/unspec.

As for the error handling, 'nft list hooks' should not print an error,
even if nothing is printed, UNLESS there was also a lowlevel (syscall)
error from the kernel.

We don't want to indicate failure just because e.g. kernel doesn't support
NFPROTO_ARP.

This also fixes a display bug, 'nft list hooks device foo' would show hooks
registered for that device as 'bridge' family instead of the expected
'netdev' family.

This was because UNSPEC handling did not query 'netdev' family and did
pass the device name to the lowlevel function. Add it, and pass NULL
device name for those families that don't support device attachment.

The lowelevel function currently always queries NFPROTO_NETDEV to handle
the 'inet' ingress case.

This is dubious, as 'inet ingress' is a pseudo-alias to netdev family
(inet itself is a pseudo-family that ends up registering for both ipv4
and ipv6 hooks).

This is resolved in next patch.

Signed-off-by: Florian Westphal <fw@strlen.de>