nft: __add_{match,target}() can't fail

These functions either call xtables_error() which terminates the process
or succeed - make them return void. While at it, export them as rule
parsing code will call them in future. Also make input parameter const,
they're not supposed to alter extension data.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft.c b/iptables/nft.c
index d1e04d2b1deb0f7d937bf896d5916022f8c34144..efa787b7e5dc8e3677c86697292aafb66c310944 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1034,7 +1034,7 @@ int nft_chain_set(struct nft_handle *h, const char *table,
        return 1;
 }
 
-static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m)
+void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m)
 {
        void *info;
 
@@ -1044,8 +1044,6 @@ static int __add_match(struct nftnl_expr *e, struct xt_entry_match *m)
        info = xtables_calloc(1, m->u.match_size);
        memcpy(info, m->data, m->u.match_size - sizeof(*m));
        nftnl_expr_set(e, NFTNL_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m));
-
-       return 0;
 }
 
 static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m)
@@ -1378,11 +1376,10 @@ static int add_nft_udp(struct nft_handle *h, struct nftnl_rule *r,
        if (udp->invflags > XT_UDP_INV_MASK ||
            udp_all_zero(udp)) {
                struct nftnl_expr *expr = nftnl_expr_alloc("match");
-               int ret;
 
-               ret = __add_match(expr, m);
+               __add_match(expr, m);
                nftnl_rule_add_expr(r, expr);
-               return ret;
+               return 0;
        }
 
        if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_UDP)
@@ -1431,11 +1428,10 @@ static int add_nft_tcp(struct nft_handle *h, struct nftnl_rule *r,
        if (tcp->invflags & ~supported || tcp->option ||
            tcp_all_zero(tcp)) {
                struct nftnl_expr *expr = nftnl_expr_alloc("match");
-               int ret;
 
-               ret = __add_match(expr, m);
+               __add_match(expr, m);
                nftnl_rule_add_expr(r, expr);
-               return ret;
+               return 0;
        }
 
        if (nftnl_rule_get_u32(r, NFTNL_RULE_COMPAT_PROTO) != IPPROTO_TCP)
@@ -1478,7 +1474,6 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
              struct nftnl_rule *r, struct xt_entry_match *m)
 {
        struct nftnl_expr *expr;
-       int ret;
 
        switch (ctx->command) {
        case NFT_COMPAT_RULE_APPEND:
@@ -1503,13 +1498,13 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
        if (expr == NULL)
                return -ENOMEM;
 
-       ret = __add_match(expr, m);
+       __add_match(expr, m);
        nftnl_rule_add_expr(r, expr);
 
-       return ret;
+       return 0;
 }
 
-static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t)
+void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t)
 {
        void *info;
 
@@ -1520,8 +1515,6 @@ static int __add_target(struct nftnl_expr *e, struct xt_entry_target *t)
        info = xtables_calloc(1, t->u.target_size);
        memcpy(info, t->data, t->u.target_size - sizeof(*t));
        nftnl_expr_set(e, NFTNL_EXPR_TG_INFO, info, t->u.target_size - sizeof(*t));
-
-       return 0;
 }
 
 static int add_meta_nftrace(struct nftnl_rule *r)
@@ -1549,7 +1542,6 @@ static int add_meta_nftrace(struct nftnl_rule *r)
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
 {
        struct nftnl_expr *expr;
-       int ret;
 
        if (strcmp(t->u.user.name, "TRACE") == 0)
                return add_meta_nftrace(r);
@@ -1558,10 +1550,10 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
        if (expr == NULL)
                return -ENOMEM;
 
-       ret = __add_target(expr, t);
+       __add_target(expr, t);
        nftnl_rule_add_expr(r, expr);
 
-       return ret;
+       return 0;
 }
 
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict)

diff --git a/iptables/nft.h b/iptables/nft.h
index 09b4341f92f8eda8dcab85c37225de6c1a32b10f..49653ecea7330437bf43200e02fa198db949b493 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -192,8 +192,10 @@ bool nft_rule_is_policy_rule(struct nftnl_rule *r);
  */
 int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
 int add_verdict(struct nftnl_rule *r, int verdict);
+void __add_match(struct nftnl_expr *e, const struct xt_entry_match *m);
 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
              struct nftnl_rule *r, struct xt_entry_match *m);
+void __add_target(struct nftnl_expr *e, const struct xt_entry_target *t);
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);