cache: assert filter when calling nft_cache_evaluate()

commit 4dd20f3bbd606eed4869ebe449debee8b2ac7900 upstream.

nft_cache_evaluate() always takes a non-null filter, remove superfluous
checks when calculating cache requirements via flags.

Note that filter is still option from netlink dump path, since this can
be called from error path to provide hints.

Fixes: 08725a9dc14c ("cache: filter out rules by chain")
Fixes: b3ed8fd8c9f3 ("cache: missing family in cache filtering")
Fixes: 635ee1cad8aa ("cache: filter out sets and maps that are not requested")
Fixes: 3f1d3912c3a6 ("cache: filter out tables that are not requested")
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/cache.c b/src/cache.c
index a2757aade32f39767cb5a733fffd5bc646c327cd..5c375712c82aa14d75bbf444592cafa995e8b81b 100644 (file)
--- a/src/cache.c
+++ b/src/cache.c
@@ -194,18 +194,17 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
 {
        switch (cmd->obj) {
        case CMD_OBJ_TABLE:
-               if (filter)
-                       filter->list.family = cmd->handle.family;
+               filter->list.family = cmd->handle.family;
                if (!cmd->handle.table.name) {
                        flags |= NFT_CACHE_TABLE;
                        break;
-               } else if (filter) {
+               } else {
                        filter->list.table = cmd->handle.table.name;
                }
                flags |= NFT_CACHE_FULL;
                break;
        case CMD_OBJ_CHAIN:
-               if (filter && cmd->handle.chain.name) {
+               if (cmd->handle.chain.name) {
                        filter->list.family = cmd->handle.family;
                        filter->list.table = cmd->handle.table.name;
                        filter->list.chain = cmd->handle.chain.name;
@@ -214,7 +213,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
                break;
        case CMD_OBJ_SET:
        case CMD_OBJ_MAP:
-               if (filter && cmd->handle.table.name && cmd->handle.set.name) {
+               if (cmd->handle.table.name && cmd->handle.set.name) {
                        filter->list.family = cmd->handle.family;
                        filter->list.table = cmd->handle.table.name;
                        filter->list.set = cmd->handle.set.name;
@@ -234,8 +233,7 @@ static unsigned int evaluate_cache_list(struct nft_ctx *nft, struct cmd *cmd,
                        flags |= NFT_CACHE_SETELEM;
                break;
        case CMD_OBJ_FLOWTABLE:
-               if (filter &&
-                   cmd->handle.table.name &&
+               if (cmd->handle.table.name &&
                    cmd->handle.flowtable.name) {
                        filter->list.family = cmd->handle.family;
                        filter->list.table = cmd->handle.table.name;
@@ -372,6 +370,8 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
        unsigned int flags, batch_flags = NFT_CACHE_EMPTY;
        struct cmd *cmd;
 
+       assert(filter);
+
        list_for_each_entry(cmd, cmds, list) {
                if (nft_handle_validate(cmd, msgs) < 0)
                        return -1;