[lxc-devel] [lxd/master] nftables: Updates nft parser to handle nft sets with composite `type` field
tomponline on Github
lxc-bot at linuxcontainers.org
Mon Oct 5 09:01:41 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 409 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20201005/44d2bc9c/attachment.bin>
-------------- next part --------------
From 406d531d63b89ed48b5fcbd1067c8ab2d9619457 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Mon, 5 Oct 2020 09:56:10 +0100
Subject: [PATCH] lxd/firewall/drivers/driver/nftables: Updates nft parser to
handle nft sets with composite `type` field
Fixes https://github.com/lxc/lxd/issues/7973
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/firewall/drivers/drivers_nftables.go | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/lxd/firewall/drivers/drivers_nftables.go b/lxd/firewall/drivers/drivers_nftables.go
index 9bdeebef1f..7a781fc971 100644
--- a/lxd/firewall/drivers/drivers_nftables.go
+++ b/lxd/firewall/drivers/drivers_nftables.go
@@ -96,7 +96,7 @@ func (d Nftables) Compat() (bool, error) {
}
for _, item := range ruleset {
- if item.Type == "rule" {
+ if item.ItemType == "rule" {
return true, nil // At least one rule found indicates in use.
}
}
@@ -106,11 +106,11 @@ func (d Nftables) Compat() (bool, error) {
// nftGenericItem represents some common fields amongst the different nftables types.
type nftGenericItem struct {
- Type string // Type of item (table, chain or rule).
- Family string `json:"family"` // Family of item (ip, ip6, bridge etc).
- Table string `json:"table"` // Table the item belongs to (for chains and rules).
- Chain string `json:"chain"` // Chain the item belongs to (for rules).
- Name string `json:"name"` // Name of item (for tables and chains).
+ ItemType string `json:"-"` // Type of item (table, chain or rule). Populated by LXD.
+ Family string `json:"family"` // Family of item (ip, ip6, bridge etc).
+ Table string `json:"table"` // Table the item belongs to (for chains and rules).
+ Chain string `json:"chain"` // Chain the item belongs to (for rules).
+ Name string `json:"name"` // Name of item (for tables and chains).
}
// nftParseRuleset parses the ruleset and returns the generic parts as a slice of items.
@@ -140,13 +140,13 @@ func (d Nftables) nftParseRuleset() ([]nftGenericItem, error) {
items := []nftGenericItem{}
for _, item := range v.Nftables {
if rule, found := item["rule"]; found {
- rule.Type = "rule"
+ rule.ItemType = "rule"
items = append(items, rule)
} else if chain, found := item["chain"]; found {
- chain.Type = "chain"
+ chain.ItemType = "chain"
items = append(items, chain)
} else if table, found := item["table"]; found {
- table.Type = "table"
+ table.ItemType = "table"
items = append(items, table)
}
}
@@ -477,7 +477,7 @@ func (d Nftables) removeChains(families []string, chainSuffix string, chains ...
for _, family := range families {
for _, item := range ruleset {
- if item.Type == "chain" && item.Family == family && item.Table == nftablesNamespace && shared.StringInSlice(item.Name, fullChains) {
+ if item.ItemType == "chain" && item.Family == family && item.Table == nftablesNamespace && shared.StringInSlice(item.Name, fullChains) {
_, err = shared.RunCommand("nft", "flush", "chain", family, nftablesNamespace, item.Name, ";", "delete", "chain", family, nftablesNamespace, item.Name)
if err != nil {
return errors.Wrapf(err, "Failed deleting nftables chain %q (%s)", item.Name, family)
More information about the lxc-devel
mailing list