From: Yu Watanabe Date: Wed, 15 Jun 2022 04:45:37 +0000 (+0900) Subject: firewall-util: introduce nfnl_close_expr_container() helper function X-Git-Tag: v252-rc1~594^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=665bc9e6e287271ecab140fbb1a8b0328ffff2f0;p=thirdparty%2Fsystemd.git firewall-util: introduce nfnl_close_expr_container() helper function And merge nfnl_add_expr_lookup_set() and nfnl_add_expr_lookup_map(). --- diff --git a/src/shared/firewall-util-nft.c b/src/shared/firewall-util-nft.c index f0cf50a2aee..b4ef1664997 100644 --- a/src/shared/firewall-util-nft.c +++ b/src/shared/firewall-util-nft.c @@ -74,7 +74,7 @@ static int nfnl_netlink_sendv( return r; } -static int nfnl_add_open_expr_container(sd_netlink_message *m, const char *name) { +static int nfnl_open_expr_container(sd_netlink_message *m, const char *name) { int r; assert(m); @@ -87,6 +87,18 @@ static int nfnl_add_open_expr_container(sd_netlink_message *m, const char *name) return sd_netlink_message_open_container_union(m, NFTA_EXPR_DATA, name); } +static int nfnl_close_expr_container(sd_netlink_message *m) { + int r; + + assert(m); + + r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ + if (r < 0) + return r; + + return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ +} + static int nfnl_add_expr_fib( sd_netlink_message *m, uint32_t nft_fib_flags, @@ -97,7 +109,7 @@ static int nfnl_add_expr_fib( assert(m); - r = nfnl_add_open_expr_container(m, "fib"); + r = nfnl_open_expr_container(m, "fib"); if (r < 0) return r; @@ -113,11 +125,7 @@ static int nfnl_add_expr_fib( if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ + return nfnl_close_expr_container(m); } static int nfnl_add_expr_meta( @@ -129,7 +137,7 @@ static int nfnl_add_expr_meta( assert(m); - r = nfnl_add_open_expr_container(m, "meta"); + r = nfnl_open_expr_container(m, "meta"); if (r < 0) return r; @@ -141,11 +149,7 @@ static int nfnl_add_expr_meta( if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ + return nfnl_close_expr_container(m); } static int nfnl_add_expr_payload( @@ -159,7 +163,7 @@ static int nfnl_add_expr_payload( assert(m); - r = nfnl_add_open_expr_container(m, "payload"); + r = nfnl_open_expr_container(m, "payload"); if (r < 0) return r; @@ -179,56 +183,10 @@ static int nfnl_add_expr_payload( if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ -} - -static int nfnl_add_expr_lookup_set_data( - sd_netlink_message *m, - const char *set_name, - enum nft_registers sreg) { - - int r; - - assert(m); - assert(set_name); - - r = nfnl_add_open_expr_container(m, "lookup"); - if (r < 0) - return r; - - r = sd_netlink_message_append_string(m, NFTA_LOOKUP_SET, set_name); - if (r < 0) - return r; - - return sd_netlink_message_append_u32(m, NFTA_LOOKUP_SREG, htobe32(sreg)); + return nfnl_close_expr_container(m); } -static int nfnl_add_expr_lookup_set( - sd_netlink_message *m, - const char *set_name, - enum nft_registers sreg) { - - int r; - - assert(m); - assert(set_name); - - r = nfnl_add_expr_lookup_set_data(m, set_name, sreg); - if (r < 0) - return r; - - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ -} - -static int nfnl_add_expr_lookup_map( +static int nfnl_add_expr_lookup( sd_netlink_message *m, const char *set_name, enum nft_registers sreg, @@ -239,19 +197,25 @@ static int nfnl_add_expr_lookup_map( assert(m); assert(set_name); - r = nfnl_add_expr_lookup_set_data(m, set_name, sreg); + r = nfnl_open_expr_container(m, "lookup"); if (r < 0) return r; - r = sd_netlink_message_append_u32(m, NFTA_LOOKUP_DREG, htobe32(dreg)); + r = sd_netlink_message_append_string(m, NFTA_LOOKUP_SET, set_name); if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ + r = sd_netlink_message_append_u32(m, NFTA_LOOKUP_SREG, htobe32(sreg)); if (r < 0) return r; - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ + if (dreg != 0) { + r = sd_netlink_message_append_u32(m, NFTA_LOOKUP_DREG, htobe32(dreg)); + if (r < 0) + return r; + } + + return nfnl_close_expr_container(m); } static int nfnl_add_expr_cmp( @@ -259,14 +223,14 @@ static int nfnl_add_expr_cmp( enum nft_cmp_ops cmp_op, enum nft_registers sreg, const void *data, - uint32_t dlen) { + size_t dlen) { int r; assert(m); assert(data); - r = nfnl_add_open_expr_container(m, "cmp"); + r = nfnl_open_expr_container(m, "cmp"); if (r < 0) return r; @@ -282,11 +246,7 @@ static int nfnl_add_expr_cmp( if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ + return nfnl_close_expr_container(m); } static int nfnl_add_expr_bitwise( @@ -303,7 +263,7 @@ static int nfnl_add_expr_bitwise( assert(and); assert(xor); - r = nfnl_add_open_expr_container(m, "bitwise"); + r = nfnl_open_expr_container(m, "bitwise"); if (r < 0) return r; @@ -327,11 +287,7 @@ static int nfnl_add_expr_bitwise( if (r < 0) return r; - r = sd_netlink_message_close_container(m); /* NFTA_EXPR_DATA */ - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); /* NFTA_LIST_ELEM */ + return nfnl_close_expr_container(m); } static int nfnl_add_expr_dnat( @@ -344,7 +300,7 @@ static int nfnl_add_expr_dnat( assert(m); - r = nfnl_add_open_expr_container(m, "nat"); + r = nfnl_open_expr_container(m, "nat"); if (r < 0) return r; @@ -364,11 +320,7 @@ static int nfnl_add_expr_dnat( if (r < 0) return r; - r = sd_netlink_message_close_container(m); - if (r < 0) - return r; - - return sd_netlink_message_close_container(m); + return nfnl_close_expr_container(m); } static int nfnl_add_expr_masq(sd_netlink_message *m) { @@ -420,7 +372,7 @@ static int sd_nfnl_message_new_masq_rule( return r; /* 1st statement: use reg1 content to make lookup in @masq_saddr set. */ - r = nfnl_add_expr_lookup_set(m, NFT_SYSTEMD_MASQ_SET_NAME, NFT_REG32_01); + r = nfnl_add_expr_lookup(m, NFT_SYSTEMD_MASQ_SET_NAME, NFT_REG32_01, 0); if (r < 0) return r; @@ -486,7 +438,7 @@ static int sd_nfnl_message_new_dnat_rule_pre( /* 3rd statement: lookup 'l4proto . dport', e.g. 'tcp . 22' as key and * store address and port for the dnat mapping in REG1/REG2. */ - r = nfnl_add_expr_lookup_map(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); + r = nfnl_add_expr_lookup(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); if (r < 0) return r; @@ -581,7 +533,7 @@ static int sd_nfnl_message_new_dnat_rule_out( * * reg1 and reg2 are clobbered and will then contain the new * address/port number. */ - r = nfnl_add_expr_lookup_map(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); + r = nfnl_add_expr_lookup(m, NFT_SYSTEMD_DNAT_MAP_NAME, NFT_REG32_01, NFT_REG32_01); if (r < 0) return r;