From 2f0b45bcf653827819b430f97c7b5c507f579fce Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Thu, 15 Feb 2024 14:35:39 -0500 Subject: [PATCH] MT#55283 add check_matched_flag() We cannot directly use the rule_scratch area when checking for the nftables status, as this scratch area is re-initialised for each rule. Instead add check_matched_flag() to be called after each rule was parsed, and use it to set a corresponding iterate_scratch flag. closes #1794 Change-Id: Ie954a91949d09887b9a293f4010bb08e78100145 --- daemon/nftables.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/daemon/nftables.c b/daemon/nftables.c index 3db88186b..338e2682d 100644 --- a/daemon/nftables.c +++ b/daemon/nftables.c @@ -44,6 +44,7 @@ struct iterate_callbacks { // scratch area for rule iterating union { GQueue handles; + bool rule_matched; } iterate_scratch; }; @@ -118,6 +119,12 @@ static void check_matched_queue(struct nftnl_rule *r, struct iterate_callbacks * } +static void check_matched_flag(struct nftnl_rule *r, struct iterate_callbacks *callbacks) { + if (callbacks->rule_scratch.rule_matched) + callbacks->iterate_scratch.rule_matched = true; +} + + static int nftables_do_rule(const struct nlmsghdr *nlh, void *data) { struct iterate_callbacks *callbacks = data; @@ -683,11 +690,12 @@ static const char *nftables_check_family(struct mnl_socket *nl, int family, uint struct iterate_callbacks callbacks = { .parse_expr = match_rtpe, + .rule_final = check_matched_flag, }; iterate_rules(nl, family, chain, seq, &callbacks); - if (!callbacks.rule_scratch.rule_matched) + if (!callbacks.iterate_scratch.rule_matched) return "RTPENGINE rule not found"; // look for a rule to jump from a base chain to our custom chain @@ -695,6 +703,7 @@ static const char *nftables_check_family(struct mnl_socket *nl, int family, uint callbacks = (__typeof__(callbacks)) { .parse_expr = match_immediate, .chain = chain, + .rule_final = check_matched_flag, }; iterate_rules(nl, family, "INPUT", seq, &callbacks); @@ -703,7 +712,7 @@ static const char *nftables_check_family(struct mnl_socket *nl, int family, uint if (base_chain && strcmp(base_chain, "none")) iterate_rules(nl, family, base_chain, seq, &callbacks); - if (!callbacks.rule_scratch.rule_matched) + if (!callbacks.iterate_scratch.rule_matched) return "immediate-goto rule not found"; return NULL;