nft: move processing logic out of asserts

[Phil: Introduce assert_nft_restart() to keep things clean, also add
       fallback returns to nft_action() and nft_prepare(), sanitizing
       things at least a bit.]

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1487
Signed-off-by: Jan Palus <atler@pld-linux.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c
index fabb577903f282082612ab729e1efa1a24bdb711..91d296709b9de0e9f335dc22fc7ec58b142d3eb4 100644 (file)
--- a/iptables/nft-cache.c
+++ b/iptables/nft-cache.c
@@ -26,6 +26,14 @@
 #include "nft-cache.h"
 #include "nft-chain.h"
 
+/* users may define NDEBUG */
+static void assert_nft_restart(struct nft_handle *h)
+{
+       int rc = nft_restart(h);
+
+       assert(rc >= 0);
+}
+
 static void cache_chain_list_insert(struct list_head *list, const char *name)
 {
        struct cache_chain *pos = NULL, *new;
@@ -147,7 +155,7 @@ static int fetch_table_cache(struct nft_handle *h)
 
        ret = mnl_talk(h, nlh, nftnl_table_list_cb, h);
        if (ret < 0 && errno == EINTR)
-               assert(nft_restart(h) >= 0);
+               assert_nft_restart(h);
 
        for (i = 0; i < NFT_TABLE_MAX; i++) {
                enum nft_table_type type = h->tables[i].type;
@@ -472,7 +480,7 @@ static int fetch_set_cache(struct nft_handle *h,
 
        ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
        if (ret < 0 && errno == EINTR) {
-               assert(nft_restart(h) >= 0);
+               assert_nft_restart(h);
                return ret;
        }
 
@@ -512,7 +520,7 @@ static int __fetch_chain_cache(struct nft_handle *h,
 
        ret = mnl_talk(h, nlh, nftnl_chain_list_cb, &d);
        if (ret < 0 && errno == EINTR)
-               assert(nft_restart(h) >= 0);
+               assert_nft_restart(h);
 
        return ret;
 }
@@ -606,7 +614,7 @@ static int nft_rule_list_update(struct nft_chain *nc, void *data)
 
        ret = mnl_talk(h, nlh, nftnl_rule_list_cb, &rld);
        if (ret < 0 && errno == EINTR)
-               assert(nft_restart(h) >= 0);
+               assert_nft_restart(h);
 
        nftnl_rule_free(rule);
 

diff --git a/iptables/nft.c b/iptables/nft.c
index b702c65ae49aaef2eaef5fe6b68293e5721da02c..326dc20b21d652b27c3b2ae9e9e92f04c850fffc 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -109,7 +109,9 @@ static struct nftnl_batch *mnl_batch_init(void)
 
 static void mnl_nft_batch_continue(struct nftnl_batch *batch)
 {
-       assert(nftnl_batch_update(batch) >= 0);
+       int ret = nftnl_batch_update(batch);
+
+       assert(ret >= 0);
 }
 
 static uint32_t mnl_batch_begin(struct nftnl_batch *batch, uint32_t genid, uint32_t seqnum)
@@ -3227,6 +3229,7 @@ retry:
                case NFT_COMPAT_RULE_ZERO:
                case NFT_COMPAT_BRIDGE_USER_CHAIN_UPDATE:
                        assert(0);
+                       return 0;
                }
 
                mnl_nft_batch_continue(h->batch);
@@ -3504,7 +3507,7 @@ static int nft_prepare(struct nft_handle *h)
                case NFT_COMPAT_TABLE_ADD:
                case NFT_COMPAT_CHAIN_ADD:
                        assert(0);
-                       break;
+                       return 0;
                }
 
                nft_cmd_free(cmd);