New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement npfctl table replace subcommand. (#52) #53
Conversation
BTW I've just realised that one change I made early in the implementation is no longer necessary - I changed the signature of I'll look to back out the signature change and unnecessary changes; unless you see some other benefit to having the function work in this way. |
d71e851
to
8389235
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this! Feedback provided.
src/npfctl/npfctl.c
Outdated
err(EXIT_FAILURE, "npf_config_retrieve()"); | ||
} | ||
if (!(t = npfctl_table_getbyname(ncf, name))) { | ||
errx(EXIT_FAILURE, "no existing table '%s' to replace", name); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe: "table '%s' not found"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually: "table '%s' not found in the active configuration"
Also, can you please move this logic into a separate function, e.g. something like npfctl_active_table_byname()
? I will use it elsewhere..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a look at doing this but it's a bit tricky to manage without introducing a memory leak; if we npf_config_destroy()
the config, it destroys the table we're wanting to return too...
Is there another way you can think of doing this? Two options I can think of are:
- Add a global variable called e.g.
active_ncf
, with functionsnpfctl_active_config_load()
(which wrapsnpf_config_retrieve()
) andnpfctl_active_config_destroy()
to load and destroy it. Usage example:
if (!npfctl_active_config_load()) {
err(EXIT_FAILURE, "npf_active_config_load()");
}
npfctl_table_getbyname(active_ncf, tablename);
npfctl_active_config_destroy();
- add a
npf_table_clone()
utility function to libnpf which wrapsnvlist_clone()
; so that the table can be cloned from the retrieved config, allowing the config to be destroyed. This would allow anpfctl_active_table_byname()
function which does something like:
nl_table_t *
npfctl_active_table_byname(const char *name)
{
nl_config_t *ncf;
nl_table_t *t;
/* Get existing config to lookup ID of existing table */
if ((ncf = npf_config_retrieve(fd)) == NULL) {
err(EXIT_FAILURE, "npf_config_retrieve()");
}
if ((t = npfctl_table_getbyname(ncf, name)) != NULL) {
t = npf_table_clone(t); /* new function which clones the nl_table_t nvlist */
}
npf_config_destroy(ncf);
return t;
}
Neither seems an ideal solution; the first is clumsy and still requires a fair bit of inline logic; perhaps the second is a little better but it's not efficient if fetching more than one table is desired. Any preference, or other ideas?
Hi Mindaugas, I haven't forgotten about this, life has just hit a busy patch lately and it might be a few weeks before things settle down. I'll chip away at the changes in the meantime; I hope that's OK. Cheers, Timshel |
8389235
to
14e95a2
Compare
I've pushed fixes for most of the reviews; just the |
Here's an implementation of a frontend command for the table replacement functionality.
Command syntax is:
npfctl table <tid> replace [-n <newid>] [-t ipset|lpm|const] <path>
where
path
is the path to the file containing IPs/networks for the table. It all uses the samenpfctl_build_table()
function from the config parser behind the scenes.Let me know of any changes you'd like me to make.