shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-25 10:04:04 +03:00
Code

sd-netlink: several cleanups for netfilter

Browse Source 
- rename family -> nfproto, and other arguments,
- check specified nfproto,
- change type of several function arguments that specify data length,
- add several assertions,
- drop unnecessary headers.
This commit is contained in:
Yu Watanabe 2022-06-14 22:22:54 +09:00
parent 35cca046cf
commit 64f090a61a
2 changed files with 52 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/libsystemd/sd-netlink/netlink-internal.h
View File

@ -179,23 +179,23 @@ int sd_nfnl_socket_open(sd_netlink **ret);
int sd_nfnl_message_batch_begin(sd_netlink *nfnl, sd_netlink_message **ret);
int sd_nfnl_message_batch_end(sd_netlink *nfnl, sd_netlink_message **ret);
int sd_nfnl_nft_message_del_table(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table);
int nfproto, const char *table);
int sd_nfnl_nft_message_new_table(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table);
int nfproto, const char *table);
int sd_nfnl_nft_message_new_basechain(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table, const char *chain,
int nfproto, const char *table, const char *chain,
const char *type, uint8_t hook, int prio);
int sd_nfnl_nft_message_new_rule(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table, const char *chain);
int nfproto, const char *table, const char *chain);
int sd_nfnl_nft_message_new_set(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table, const char *set_name,
int nfproto, const char *table, const char *set_name,
uint32_t setid, uint32_t klen);
int sd_nfnl_nft_message_new_setelems_begin(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table, const char *set_name);
int nfproto, const char *table, const char *set_name);
int sd_nfnl_nft_message_del_setelems_begin(sd_netlink *nfnl, sd_netlink_message **ret,
int family, const char *table, const char *set_name);
int nfproto, const char *table, const char *set_name);
int sd_nfnl_nft_message_add_setelem(sd_netlink_message *m,
uint32_t num,
const void *key, uint32_t klen,
const void *data, uint32_t dlen);
uint32_t index,
const void *key, size_t key_len,
const void *data, size_t data_len);
int sd_nfnl_nft_message_add_setelem_end(sd_netlink_message *m);

71
src/libsystemd/sd-netlink/netlink-message-nfnl.c
View File

@ -1,26 +1,35 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <netinet/in.h>
#include <linux/if_addrlabel.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nf_tables.h>
#include <linux/nexthop.h>
#include <stdbool.h>
#include <unistd.h>
#include <linux/netfilter.h>
#include "sd-netlink.h"
#include "format-util.h"
#include "netlink-internal.h"
#include "netlink-types.h"
#include "socket-util.h"
static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int family, uint16_t msg_type, uint16_t flags) {
static bool nfproto_is_valid(int nfproto) {
return IN_SET(nfproto,
NFPROTO_UNSPEC,
NFPROTO_INET,
NFPROTO_IPV4,
NFPROTO_ARP,
NFPROTO_NETDEV,
NFPROTO_BRIDGE,
NFPROTO_IPV6,
NFPROTO_DECNET);
}
static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int nfproto, uint16_t msg_type, uint16_t flags) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
assert_return(nfnl, -EINVAL);
assert_return(ret, -EINVAL);
assert_return(nfproto_is_valid(nfproto), -EINVAL);
assert_return(NFNL_MSG_TYPE(msg_type) == msg_type, -EINVAL);
r = message_new(nfnl, &m, NFNL_SUBSYS_NFTABLES << 8 | msg_type);
if (r < 0)
@ -29,7 +38,7 @@ static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int famil
m->hdr->nlmsg_flags |= flags;
*(struct nfgenmsg*) NLMSG_DATA(m->hdr) = (struct nfgenmsg) {
.nfgen_family = family,
.nfgen_family = nfproto,
.version = NFNETLINK_V0,
.res_id = nfnl->serial,
};
@ -42,12 +51,16 @@ static int nfnl_message_batch(sd_netlink *nfnl, sd_netlink_message **ret, uint16
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
assert_return(nfnl, -EINVAL);
assert_return(ret, -EINVAL);
assert_return(NFNL_MSG_TYPE(msg_type) == msg_type, -EINVAL);
r = message_new(nfnl, &m, NFNL_SUBSYS_NONE << 8 | msg_type);
if (r < 0)
return r;
*(struct nfgenmsg*) NLMSG_DATA(m->hdr) = (struct nfgenmsg) {
.nfgen_family = AF_UNSPEC,
.nfgen_family = NFPROTO_UNSPEC,
.version = NFNETLINK_V0,
.res_id = NFNL_SUBSYS_NFTABLES,
};
@ -67,7 +80,7 @@ int sd_nfnl_message_batch_end(sd_netlink *nfnl, sd_netlink_message **ret) {
int sd_nfnl_nft_message_new_basechain(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table,
const char *chain,
const char *type,
@ -77,7 +90,7 @@ int sd_nfnl_nft_message_new_basechain(
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWCHAIN, NLM_F_CREATE);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWCHAIN, NLM_F_CREATE);
if (r < 0)
return r;
@ -116,13 +129,13 @@ int sd_nfnl_nft_message_new_basechain(
int sd_nfnl_nft_message_del_table(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_DELTABLE, NLM_F_CREATE);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_DELTABLE, NLM_F_CREATE);
if (r < 0)
return r;
@ -137,13 +150,13 @@ int sd_nfnl_nft_message_del_table(
int sd_nfnl_nft_message_new_table(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWTABLE, NLM_F_CREATE | NLM_F_EXCL);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWTABLE, NLM_F_CREATE | NLM_F_EXCL);
if (r < 0)
return r;
@ -158,14 +171,14 @@ int sd_nfnl_nft_message_new_table(
int sd_nfnl_nft_message_new_rule(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table,
const char *chain) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWRULE, NLM_F_CREATE);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWRULE, NLM_F_CREATE);
if (r < 0)
return r;
@ -184,7 +197,7 @@ int sd_nfnl_nft_message_new_rule(
int sd_nfnl_nft_message_new_set(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table,
const char *set_name,
uint32_t set_id,
@ -193,7 +206,7 @@ int sd_nfnl_nft_message_new_set(
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWSET, NLM_F_CREATE);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWSET, NLM_F_CREATE);
if (r < 0)
return r;
@ -220,14 +233,14 @@ int sd_nfnl_nft_message_new_set(
int sd_nfnl_nft_message_new_setelems_begin(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table,
const char *set_name) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWSETELEM, NLM_F_CREATE);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWSETELEM, NLM_F_CREATE);
if (r < 0)
return r;
@ -250,14 +263,14 @@ int sd_nfnl_nft_message_new_setelems_begin(
int sd_nfnl_nft_message_del_setelems_begin(
sd_netlink *nfnl,
sd_netlink_message **ret,
int family,
int nfproto,
const char *table,
const char *set_name) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL;
int r;
r = nft_message_new(nfnl, &m, family, NFT_MSG_DELSETELEM, 0);
r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_DELSETELEM, 0);
if (r < 0)
return r;
@ -293,24 +306,24 @@ static int add_data(sd_netlink_message *m, uint16_t attr, const void *data, uint
int sd_nfnl_nft_message_add_setelem(
sd_netlink_message *m,
uint32_t num,
uint32_t index,
const void *key,
uint32_t klen,
size_t key_len,
const void *data,
uint32_t dlen) {
size_t data_len) {
int r;
r = sd_netlink_message_open_array(m, num);
r = sd_netlink_message_open_array(m, index);
if (r < 0)
return r;
r = add_data(m, NFTA_SET_ELEM_KEY, key, klen);
r = add_data(m, NFTA_SET_ELEM_KEY, key, key_len);
if (r < 0)
goto cancel;
if (data) {
r = add_data(m, NFTA_SET_ELEM_DATA, data, dlen);
r = add_data(m, NFTA_SET_ELEM_DATA, data, data_len);
if (r < 0)
goto cancel;
}