[iptables PATCH 21/27] xtables-restore: Make COMMIT support configurable

Phil Sutter Thu, 02 Aug 2018 08:07:19 -0700

Legacy ebtables-restore does not support COMMIT directive, so allow for
callers of xtables_restore_parse() to toggle support for it.


If it is not supported, allow for next table definition without previous
COMMIT and implicitly commit the ruleset after parsing input instead of
complaining about missing final COMMIT statement.

Signed-off-by: Phil Sutter <p...@nwl.cc>
---
 iptables/nft-shared.h      |  1 +
 iptables/xtables-restore.c | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 5ef17a088a208..1f5c8a8130c69 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -245,6 +245,7 @@ struct nft_xt_restore_parse {
        FILE            *in;
        int             testing;
        const char      *tablename;
+       bool            commit;
 };
 
 struct nftnl_chain_list;
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 6a1d1877940fb..bddbc138adae4 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -129,6 +129,10 @@ void xtables_restore_parse(struct nft_handle *h,
                                fputs(buffer, stdout);
                        continue;
                } else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
+                       if (!p->commit)
+                               xtables_error(PARAMETER_PROBLEM,
+                                       "%s: COMMIT directive not supported\n",
+                                       xt_params->program_name);
                        if (!p->testing) {
                                /* Commit per table, although we support
                                 * global commit at once, stick by now to
@@ -144,7 +148,7 @@ void xtables_restore_parse(struct nft_handle *h,
                        }
                        in_table = 0;
 
-               } else if ((buffer[0] == '*') && (!in_table)) {
+               } else if ((buffer[0] == '*') && (!in_table || !p->commit)) {
                        /* New table */
                        char *table;
 
@@ -341,10 +345,13 @@ void xtables_restore_parse(struct nft_handle *h,
                        exit(1);
                }
        }
-       if (in_table) {
+       if (in_table && p->commit) {
                fprintf(stderr, "%s: COMMIT expected at line %u\n",
                                xt_params->program_name, line + 1);
                exit(1);
+       } else if (in_table && cb->commit && !cb->commit(h)) {
+               xtables_error(OTHER_PROBLEM, "%s: final implicit COMMIT failed",
+                             xt_params->program_name);
        }
 }
 
@@ -357,7 +364,9 @@ xtables_restore_main(int family, const char *progname, int 
argc, char *argv[])
                .restore = true,
        };
        int c;
-       struct nft_xt_restore_parse p = {};
+       struct nft_xt_restore_parse p = {
+               .commit = true,
+       };
 
        line = 0;
 
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[iptables PATCH 21/27] xtables-restore: Make COMMIT support configurable

Reply via email to