[PATCH nft 1/2] evaluate: display error on unexisting chain when listing

[PATCH nft 1/2] evaluate: display error on unexisting chain when listing

[Pablo Neira Ayuso]

nft list chain ip test output
<cmdline>:1:1-25: Error: Could not process rule: Chain 'output' does not exist
list chain ip test output
^^^^^^^^^^^^^^^^^^^^^^^^^

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Applies on top of the cache-consolidation branch.

 src/evaluate.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index d432826..937097a 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1956,16 +1956,26 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
 
 static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 {
+	struct table *table;
+
 	switch (cmd->obj) {
 	case CMD_OBJ_TABLE:
 		if (cmd->handle.table == NULL)
 			return 0;
-	case CMD_OBJ_CHAIN:
 	case CMD_OBJ_SET:
 		if (table_lookup(&cmd->handle) == NULL)
 			return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
 					 cmd->handle.table);
 		return 0;
+	case CMD_OBJ_CHAIN:
+		table = table_lookup(&cmd->handle);
+		if (table == NULL)
+			return cmd_error(ctx, "Could not process rule: Table '%s' does not exist",
+					 cmd->handle.table);
+		if (chain_lookup(table, &cmd->handle) == NULL)
+			return cmd_error(ctx, "Could not process rule: Chain '%s' does not exist",
+					 cmd->handle.chain);
+		return 0;
 	case CMD_OBJ_SETS:
 	case CMD_OBJ_RULESET:
 		return 0;
-- 
1.7.10.4

[PATCH nft 2/2] netlink: don't call netlink_dump_*() from listing functions with --debug=netlink

[Pablo Neira Ayuso]

Now that we always retrieve the object list to build a cache before executing
the command, this results in fully listing of existing objects in the kernel.

This is confusing when adding a simple rule, so better not to call
netlink_dump_*() from listing functions.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Applies on top of the cache-consolidation branch.

 src/netlink.c |    4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 0fb7b63..b71d04f 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -913,7 +913,6 @@ static struct table *netlink_delinearize_table(struct netlink_ctx *ctx,
 {
 	struct table *table;
 
-	netlink_dump_table(nlt);
 	table = table_alloc();
 	table->handle.family =
 		nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
@@ -1226,7 +1225,6 @@ static int list_set_cb(struct nft_set *nls, void *arg)
 	struct netlink_ctx *ctx = arg;
 	struct set *set;
 
-	netlink_dump_set(nls);
 	set = netlink_delinearize_set(ctx, nls);
 	if (set == NULL)
 		return -1;
@@ -1263,7 +1261,6 @@ int netlink_get_set(struct netlink_ctx *ctx, const struct handle *h,
 	int err;
 
 	nls = alloc_nft_set(h);
-	netlink_dump_set(nls);
 	err = mnl_nft_set_get(nf_sock, nls);
 	if (err < 0) {
 		nft_set_free(nls);
@@ -1504,7 +1501,6 @@ int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h,
 	int err;
 
 	nls = alloc_nft_set(h);
-	netlink_dump_set(nls);
 
 	err = mnl_nft_setelem_get(nf_sock, nls);
 	if (err < 0) {
-- 
1.7.10.4