diff options
| author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-14 22:22:54 +0900 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-07-23 23:52:42 +0900 |
| commit | 64f090a61ab0886e70384c9c486ea9162b58c1a5 (patch) | |
| tree | 288466fb718124a17fcac57df079bdf84b43e57c /src | |
| parent | 35cca046cf65be01db33c4a17076491c1c7682a3 (diff) | |
| download | systemd-64f090a61ab0886e70384c9c486ea9162b58c1a5.tar.gz | |
sd-netlink: several cleanups for netfilter
- rename family -> nfproto, and other arguments,
- check specified nfproto,
- change type of several function arguments that specify data length,
- add several assertions,
- drop unnecessary headers.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libsystemd/sd-netlink/netlink-internal.h | 20 | ||||
| -rw-r--r-- | src/libsystemd/sd-netlink/netlink-message-nfnl.c | 71 |
2 files changed, 52 insertions, 39 deletions
diff --git a/src/libsystemd/sd-netlink/netlink-internal.h b/src/libsystemd/sd-netlink/netlink-internal.h index 497ffe9112..c0d7fa8336 100644 --- a/src/libsystemd/sd-netlink/netlink-internal.h +++ b/src/libsystemd/sd-netlink/netlink-internal.h @@ -179,23 +179,23 @@ int sd_nfnl_socket_open(sd_netlink **ret); int sd_nfnl_message_batch_begin(sd_netlink *nfnl, sd_netlink_message **ret); int sd_nfnl_message_batch_end(sd_netlink *nfnl, sd_netlink_message **ret); int sd_nfnl_nft_message_del_table(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table); + int nfproto, const char *table); int sd_nfnl_nft_message_new_table(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table); + int nfproto, const char *table); int sd_nfnl_nft_message_new_basechain(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table, const char *chain, + int nfproto, const char *table, const char *chain, const char *type, uint8_t hook, int prio); int sd_nfnl_nft_message_new_rule(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table, const char *chain); + int nfproto, const char *table, const char *chain); int sd_nfnl_nft_message_new_set(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table, const char *set_name, + int nfproto, const char *table, const char *set_name, uint32_t setid, uint32_t klen); int sd_nfnl_nft_message_new_setelems_begin(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table, const char *set_name); + int nfproto, const char *table, const char *set_name); int sd_nfnl_nft_message_del_setelems_begin(sd_netlink *nfnl, sd_netlink_message **ret, - int family, const char *table, const char *set_name); + int nfproto, const char *table, const char *set_name); int sd_nfnl_nft_message_add_setelem(sd_netlink_message *m, - uint32_t num, - const void *key, uint32_t klen, - const void *data, uint32_t dlen); + uint32_t index, + const void *key, size_t key_len, + const void *data, size_t data_len); int sd_nfnl_nft_message_add_setelem_end(sd_netlink_message *m); diff --git a/src/libsystemd/sd-netlink/netlink-message-nfnl.c b/src/libsystemd/sd-netlink/netlink-message-nfnl.c index 6f32167772..e70cf52631 100644 --- a/src/libsystemd/sd-netlink/netlink-message-nfnl.c +++ b/src/libsystemd/sd-netlink/netlink-message-nfnl.c @@ -1,26 +1,35 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #include <netinet/in.h> -#include <linux/if_addrlabel.h> #include <linux/netfilter/nfnetlink.h> #include <linux/netfilter/nf_tables.h> -#include <linux/nexthop.h> -#include <stdbool.h> -#include <unistd.h> +#include <linux/netfilter.h> #include "sd-netlink.h" -#include "format-util.h" #include "netlink-internal.h" #include "netlink-types.h" -#include "socket-util.h" -static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int family, uint16_t msg_type, uint16_t flags) { +static bool nfproto_is_valid(int nfproto) { + return IN_SET(nfproto, + NFPROTO_UNSPEC, + NFPROTO_INET, + NFPROTO_IPV4, + NFPROTO_ARP, + NFPROTO_NETDEV, + NFPROTO_BRIDGE, + NFPROTO_IPV6, + NFPROTO_DECNET); +} + +static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int nfproto, uint16_t msg_type, uint16_t flags) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; assert_return(nfnl, -EINVAL); assert_return(ret, -EINVAL); + assert_return(nfproto_is_valid(nfproto), -EINVAL); + assert_return(NFNL_MSG_TYPE(msg_type) == msg_type, -EINVAL); r = message_new(nfnl, &m, NFNL_SUBSYS_NFTABLES << 8 | msg_type); if (r < 0) @@ -29,7 +38,7 @@ static int nft_message_new(sd_netlink *nfnl, sd_netlink_message **ret, int famil m->hdr->nlmsg_flags |= flags; *(struct nfgenmsg*) NLMSG_DATA(m->hdr) = (struct nfgenmsg) { - .nfgen_family = family, + .nfgen_family = nfproto, .version = NFNETLINK_V0, .res_id = nfnl->serial, }; @@ -42,12 +51,16 @@ static int nfnl_message_batch(sd_netlink *nfnl, sd_netlink_message **ret, uint16 _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; + assert_return(nfnl, -EINVAL); + assert_return(ret, -EINVAL); + assert_return(NFNL_MSG_TYPE(msg_type) == msg_type, -EINVAL); + r = message_new(nfnl, &m, NFNL_SUBSYS_NONE << 8 | msg_type); if (r < 0) return r; *(struct nfgenmsg*) NLMSG_DATA(m->hdr) = (struct nfgenmsg) { - .nfgen_family = AF_UNSPEC, + .nfgen_family = NFPROTO_UNSPEC, .version = NFNETLINK_V0, .res_id = NFNL_SUBSYS_NFTABLES, }; @@ -67,7 +80,7 @@ int sd_nfnl_message_batch_end(sd_netlink *nfnl, sd_netlink_message **ret) { int sd_nfnl_nft_message_new_basechain( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table, const char *chain, const char *type, @@ -77,7 +90,7 @@ int sd_nfnl_nft_message_new_basechain( _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWCHAIN, NLM_F_CREATE); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWCHAIN, NLM_F_CREATE); if (r < 0) return r; @@ -116,13 +129,13 @@ int sd_nfnl_nft_message_new_basechain( int sd_nfnl_nft_message_del_table( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_DELTABLE, NLM_F_CREATE); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_DELTABLE, NLM_F_CREATE); if (r < 0) return r; @@ -137,13 +150,13 @@ int sd_nfnl_nft_message_del_table( int sd_nfnl_nft_message_new_table( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWTABLE, NLM_F_CREATE | NLM_F_EXCL); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWTABLE, NLM_F_CREATE | NLM_F_EXCL); if (r < 0) return r; @@ -158,14 +171,14 @@ int sd_nfnl_nft_message_new_table( int sd_nfnl_nft_message_new_rule( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table, const char *chain) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWRULE, NLM_F_CREATE); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWRULE, NLM_F_CREATE); if (r < 0) return r; @@ -184,7 +197,7 @@ int sd_nfnl_nft_message_new_rule( int sd_nfnl_nft_message_new_set( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table, const char *set_name, uint32_t set_id, @@ -193,7 +206,7 @@ int sd_nfnl_nft_message_new_set( _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWSET, NLM_F_CREATE); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWSET, NLM_F_CREATE); if (r < 0) return r; @@ -220,14 +233,14 @@ int sd_nfnl_nft_message_new_set( int sd_nfnl_nft_message_new_setelems_begin( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table, const char *set_name) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_NEWSETELEM, NLM_F_CREATE); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_NEWSETELEM, NLM_F_CREATE); if (r < 0) return r; @@ -250,14 +263,14 @@ int sd_nfnl_nft_message_new_setelems_begin( int sd_nfnl_nft_message_del_setelems_begin( sd_netlink *nfnl, sd_netlink_message **ret, - int family, + int nfproto, const char *table, const char *set_name) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *m = NULL; int r; - r = nft_message_new(nfnl, &m, family, NFT_MSG_DELSETELEM, 0); + r = nft_message_new(nfnl, &m, nfproto, NFT_MSG_DELSETELEM, 0); if (r < 0) return r; @@ -293,24 +306,24 @@ static int add_data(sd_netlink_message *m, uint16_t attr, const void *data, uint int sd_nfnl_nft_message_add_setelem( sd_netlink_message *m, - uint32_t num, + uint32_t index, const void *key, - uint32_t klen, + size_t key_len, const void *data, - uint32_t dlen) { + size_t data_len) { int r; - r = sd_netlink_message_open_array(m, num); + r = sd_netlink_message_open_array(m, index); if (r < 0) return r; - r = add_data(m, NFTA_SET_ELEM_KEY, key, klen); + r = add_data(m, NFTA_SET_ELEM_KEY, key, key_len); if (r < 0) goto cancel; if (data) { - r = add_data(m, NFTA_SET_ELEM_DATA, data, dlen); + r = add_data(m, NFTA_SET_ELEM_DATA, data, data_len); if (r < 0) goto cancel; } |