git.ipfire.org Git - thirdparty/nftables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Fri, 7 Jun 2019 17:21:21 +0000 (19:21 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 7 Jun 2019 21:54:51 +0000 (23:54 +0200)
commit	e5382c0d08e3c6d8246afa95b7380f0d6b8c1826
tree	e7a6973c6354a9bfee9383476dbc7041fc2e27c9	tree
parent	eecfd96ea3ca8207a1fc28cd1e845c177be59d85	commit \| diff

src: Support intra-transaction rule references

A rule may be added before or after another one using index keyword. To
support for the other rule being added within the same batch, one has to
make use of NFTNL_RULE_ID and NFTNL_RULE_POSITION_ID attributes. This
patch does just that among a few more crucial things:

* If cache is complete enough to contain rules, update cache when
  evaluating rule commands so later index references resolve correctly.

* Reduce rule_translate_index() to its core code which is the actual
  linking of rules and consequently rename the function. The removed
  bits are pulled into the calling rule_evaluate() to reduce code
  duplication in between cache updates with and without rule reference.

* Pass the current command op to rule_evaluate() as indicator whether to
  insert before or after a referenced rule or at beginning or end of
  chain in cache. Exploit this from chain_evaluate() to avoid adding
  the chain's rules a second time.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/rule.h		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/mnl.c		diff \| blob \| blame \| history
tests/shell/testcases/cache/0003_cache_update_0		diff \| blob \| blame \| history
tests/shell/testcases/transactions/0024rule_0	[new file with mode: 0755]	blob
tests/shell/testcases/transactions/0025rule_0	[new file with mode: 0755]	blob
tests/shell/testcases/transactions/dumps/0024rule_0.nft	[new file with mode: 0644]	blob
tests/shell/testcases/transactions/dumps/0025rule_0.nft	[new file with mode: 0644]	blob