nft: Make table creation purely implicit

While asserting a required builtin chain exists, its table is created
implicitly if missing. Exploit this from xtables-restore, too: The only
actions which need adjustment are chain_new and chain_restore, i.e. when
restoring (either builtin or custom) chains.

Note: The call to nft_table_builtin_add() wasn't sufficient as it
doesn't set the table as initialized and therefore a following call to
nft_xt_builtin_init() would override non-default base chain policies.

Note2: The 'table_new' callback in 'nft_xt_restore_cb' is left in place
as xtables-translate uses it to print an explicit 'add table' command.

Note3: nft_table_new() function was already unused since a7f1e208cdf9c
("nft: split parsing from netlink commands").

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c
index 51cdfed41519cc522cf35dd91d5335007e2b6f35..5d33f1f00f5741709cd5228e347d8ad19183545d 100644 (file)
--- a/iptables/nft-cmd.c
+++ b/iptables/nft-cmd.c
@@ -393,8 +393,3 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table,
 
        return 1;
 }
-
-void nft_cmd_table_new(struct nft_handle *h, const char *table)
-{
-       nft_cmd_new(h, NFT_COMPAT_TABLE_NEW, table, NULL, NULL, -1, false);
-}

diff --git a/iptables/nft.c b/iptables/nft.c
index 0c5a74fc232c68350fd10f6765499c70cff1dc5d..c5ab0dbe8d6e74f17d9c616e87d10f88d3ffeab1 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -350,7 +350,6 @@ static int mnl_append_error(const struct nft_handle *h,
        case NFT_COMPAT_RULE_SAVE:
        case NFT_COMPAT_RULE_ZERO:
        case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
-       case NFT_COMPAT_TABLE_NEW:
                assert(0);
                break;
        }
@@ -892,7 +891,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
        }
 
        /* if this built-in table does not exists, create it */
-       nft_table_builtin_add(h, _t);
+       nft_xt_builtin_init(h, table);
 
        _c = nft_chain_builtin_find(_t, chain);
        if (_c != NULL) {
@@ -1789,6 +1788,8 @@ int nft_chain_restore(struct nft_handle *h, const char *chain, const char *table
        bool created = false;
        int ret;
 
+       nft_xt_builtin_init(h, table);
+
        c = nft_chain_find(h, table, chain);
        if (c) {
                /* Apparently -n still flushes existing user defined
@@ -2099,11 +2100,6 @@ err_out:
        return ret == 0 ? 1 : 0;
 }
 
-void nft_table_new(struct nft_handle *h, const char *table)
-{
-       nft_xt_builtin_init(h, table);
-}
-
 static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule *r)
 {
        struct obj_update *obj;
@@ -2735,7 +2731,6 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
        case NFT_COMPAT_RULE_SAVE:
        case NFT_COMPAT_RULE_ZERO:
        case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
-       case NFT_COMPAT_TABLE_NEW:
                assert(0);
                break;
        }
@@ -2811,7 +2806,6 @@ static void nft_refresh_transaction(struct nft_handle *h)
                case NFT_COMPAT_RULE_SAVE:
                case NFT_COMPAT_RULE_ZERO:
                case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
-               case NFT_COMPAT_TABLE_NEW:
                        break;
                }
        }
@@ -2915,7 +2909,6 @@ retry:
                case NFT_COMPAT_RULE_SAVE:
                case NFT_COMPAT_RULE_ZERO:
                case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
-               case NFT_COMPAT_TABLE_NEW:
                        assert(0);
                }
 
@@ -3178,10 +3171,6 @@ static int nft_prepare(struct nft_handle *h)
                        ret = ebt_set_user_chain_policy(h, cmd->table,
                                                        cmd->chain, cmd->policy);
                        break;
-               case NFT_COMPAT_TABLE_NEW:
-                       nft_xt_builtin_init(h, cmd->table);
-                       ret = 1;
-                       break;
                case NFT_COMPAT_SET_ADD:
                        nft_xt_builtin_init(h, cmd->table);
                        batch_set_add(h, NFT_COMPAT_SET_ADD, cmd->obj.set);

diff --git a/iptables/nft.h b/iptables/nft.h
index bd783231156b78f5606280d7bc8d80a07d583a9f..bd944f441caf1ba62b64896d7699bcd0333454e2 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -68,7 +68,6 @@ enum obj_update_type {
        NFT_COMPAT_RULE_SAVE,
        NFT_COMPAT_RULE_ZERO,
        NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE,
-       NFT_COMPAT_TABLE_NEW,
 };
 
 struct cache_chain {
@@ -135,7 +134,6 @@ int nft_for_each_table(struct nft_handle *h, int (*func)(struct nft_handle *h, c
 bool nft_table_find(struct nft_handle *h, const char *tablename);
 int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list);
 int nft_table_flush(struct nft_handle *h, const char *table);
-void nft_table_new(struct nft_handle *h, const char *table);
 const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table);
 
 /*

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index eb25ec3dc83981a54d80216b82c27541aaf5d816..d27394972d90cd0ef35276800654d713115efd8f 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -61,7 +61,6 @@ static void print_usage(const char *name, const char *version)
 static const struct nft_xt_restore_cb restore_cb = {
        .commit         = nft_commit,
        .abort          = nft_abort,
-       .table_new      = nft_cmd_table_new,
        .table_flush    = nft_cmd_table_flush,
        .do_command     = do_commandx,
        .chain_set      = nft_cmd_chain_set,
@@ -410,7 +409,6 @@ int xtables_ip6_restore_main(int argc, char *argv[])
 
 static const struct nft_xt_restore_cb ebt_restore_cb = {
        .commit         = nft_bridge_commit,
-       .table_new      = nft_cmd_table_new,
        .table_flush    = nft_cmd_table_flush,
        .do_command     = do_commandeb,
        .chain_set      = nft_cmd_chain_set,
@@ -456,7 +454,6 @@ int xtables_eb_restore_main(int argc, char *argv[])
 
 static const struct nft_xt_restore_cb arp_restore_cb = {
        .commit         = nft_commit,
-       .table_new      = nft_cmd_table_new,
        .table_flush    = nft_cmd_table_flush,
        .do_command     = do_commandarp,
        .chain_set      = nft_cmd_chain_set,