return nft_chain_list_find(list, table, chain);
}
+bool nft_chain_exists(struct nft_handle *h,
+ const char *table, const char *chain)
+{
+ struct builtin_table *t = nft_table_builtin_find(h, table);
+
+ /* xtables does not support custom tables */
+ if (!t)
+ return false;
+
+ if (nft_chain_builtin_find(t, chain))
+ return true;
+
+ return !!nft_chain_find(h, table, chain);
+}
+
int nft_chain_user_rename(struct nft_handle *h,const char *chain,
const char *table, const char *newname)
{
int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table, bool verbose);
struct builtin_chain *nft_chain_builtin_find(struct builtin_table *t, const char *chain);
+bool nft_chain_exists(struct nft_handle *h, const char *table, const char *chain);
/*
* Operations with rule-set.
--- /dev/null
+#!/bin/sh
+
+# make sure error return codes are as expected useful cases
+# (e.g. commands to check ruleset state)
+
+global_rc=0
+
+cmd() { # (rc, cmd, [args ...])
+ rc_exp=$1; shift
+
+ $XT_MULTI "$@"
+ rc=$?
+
+ [ $rc -eq $rc_exp ] || {
+ echo "---> expected $rc_exp, got $rc for command '$@'"
+ global_rc=1
+ }
+}
+
+# test chain creation
+cmd 0 ip6tables -N foo
+cmd 1 ip6tables -N foo
+# iptables-nft allows this - bug or feature?
+#cmd 2 ip6tables -N "invalid name"
+
+# test rule adding
+cmd 0 ip6tables -A INPUT -j ACCEPT
+cmd 1 ip6tables -A noexist -j ACCEPT
+
+# test rule checking
+cmd 0 ip6tables -C INPUT -j ACCEPT
+cmd 1 ip6tables -C FORWARD -j ACCEPT
+cmd 1 ip6tables -C nonexist -j ACCEPT
+cmd 2 ip6tables -C INPUT -j foobar
+cmd 2 ip6tables -C INPUT -m foobar -j ACCEPT
+cmd 3 ip6tables -t foobar -C INPUT -j ACCEPT
+
+exit $global_rc
--- /dev/null
+#!/bin/sh
+
+# make sure error return codes are as expected useful cases
+# (e.g. commands to check ruleset state)
+
+global_rc=0
+
+cmd() { # (rc, cmd, [args ...])
+ rc_exp=$1; shift
+
+ $XT_MULTI "$@"
+ rc=$?
+
+ [ $rc -eq $rc_exp ] || {
+ echo "---> expected $rc_exp, got $rc for command '$@'"
+ global_rc=1
+ }
+}
+
+# test chain creation
+cmd 0 iptables -N foo
+cmd 1 iptables -N foo
+# iptables-nft allows this - bug or feature?
+#cmd 2 iptables -N "invalid name"
+
+# test rule adding
+cmd 0 iptables -A INPUT -j ACCEPT
+cmd 1 iptables -A noexist -j ACCEPT
+
+# test rule checking
+cmd 0 iptables -C INPUT -j ACCEPT
+cmd 1 iptables -C FORWARD -j ACCEPT
+cmd 1 iptables -C nonexist -j ACCEPT
+cmd 2 iptables -C INPUT -j foobar
+cmd 2 iptables -C INPUT -m foobar -j ACCEPT
+cmd 3 iptables -t foobar -C INPUT -j ACCEPT
+
+exit $global_rc
if (cs->invert)
xtables_error(PARAMETER_PROBLEM,
"unexpected ! flag before --table");
+ if (!nft_table_builtin_find(h, optarg))
+ xtables_error(VERSION_PROBLEM,
+ "table '%s' does not exist",
+ optarg);
p->table = optarg;
break;
p->chain);
}
- /*
- * Contrary to what iptables does, we assume that any jumpto
- * is a custom chain jumps (if no target is found). Later on,
- * nf_table will spot the error if the chain does not exists.
- */
+ if (p->chain && !nft_chain_exists(h, p->table, p->chain))
+ xtables_error(OTHER_PROBLEM,
+ "Chain '%s' does not exist", cs->jumpto);
+
+ if (!cs->target && strlen(cs->jumpto) > 0 &&
+ !nft_chain_exists(h, p->table, cs->jumpto))
+ xtables_error(PARAMETER_PROBLEM,
+ "Chain '%s' does not exist", cs->jumpto);
}
+ if (p->command == CMD_NEW_CHAIN &&
+ nft_chain_exists(h, p->table, p->chain))
+ xtables_error(OTHER_PROBLEM, "Chain already exists");
}
int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
projects / thirdparty / iptables.git / commitdiff
