src: add devices to an existing flowtable

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 20 May 2020 18:23:35 +0000 (20:23 +0200)

committer Pablo Neira Ayuso <pablo@netfilter.org>

Tue, 2 Jun 2020 12:05:38 +0000 (14:05 +0200)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 20 May 2020 18:23:35 +0000 (20:23 +0200)
committer Pablo Neira Ayuso <pablo@netfilter.org>
Tue, 2 Jun 2020 12:05:38 +0000 (14:05 +0200)
diff --git a/src/evaluate.c b/src/evaluate.c

index 4156d896fb5380229f19b1fca03e14bbee8ef811..fbc8f1fbd141b01f58f3c5052d598e5acde720d0 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3624,17 +3624,16 @@ static int flowtable_evaluate(struct eval_ctx *ctx, struct flowtable *ft)
         if (table == NULL)
                 return table_not_found(ctx);
  
-       ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
-       if (ft->hook.num == NF_INET_NUMHOOKS)
-               return chain_error(ctx, ft, "invalid hook %s", ft->hook.name);
-
-       if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
-               return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
-                                          "invalid priority expression %s.",
-                                          expr_name(ft->priority.expr));
-
-       if (!ft->dev_expr)
-               return chain_error(ctx, ft, "Unbound flowtable not allowed (must specify devices)");
+       if (ft->hook.name) {
+               ft->hook.num = str2hooknum(NFPROTO_NETDEV, ft->hook.name);
+               if (ft->hook.num == NF_INET_NUMHOOKS)
+                       return chain_error(ctx, ft, "invalid hook %s",
+                                          ft->hook.name);
+               if (!evaluate_priority(ctx, &ft->priority, NFPROTO_NETDEV, ft->hook.num))
+                       return __stmt_binary_error(ctx, &ft->priority.loc, NULL,
+                                                  "invalid priority expression %s.",
+                                                  expr_name(ft->priority.expr));
+       }
  
         return 0;
  }
diff --git a/src/mnl.c b/src/mnl.c

index 2890014ebf3dc24e67bbf81428419e6194070b00..8f8fcc2c7ae0f2be8e121e364efb29e2ab0d8eb9 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1640,11 +1640,17 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
  
         nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FAMILY,
                                 cmd->handle.family);
-       nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
-                               cmd->flowtable->hook.num);
-       mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
-                       BYTEORDER_HOST_ENDIAN, sizeof(int));
-       nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+
+       if (cmd->flowtable->hook.name) {
+               nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM,
+                                       cmd->flowtable->hook.num);
+               mpz_export_data(&priority, cmd->flowtable->priority.expr->value,
+                               BYTEORDER_HOST_ENDIAN, sizeof(int));
+               nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, priority);
+       } else {
+               nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_HOOKNUM, 0);
+               nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
+       }
  
         dev_array = nft_flowtable_dev_array(cmd);
         nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 20 May 2020 18:23:35 +0000 (20:23 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 2 Jun 2020 12:05:38 +0000 (14:05 +0200)
src/evaluate.c		patch \| blob \| blame \| history
src/mnl.c		patch \| blob \| blame \| history