defaults: robustify flow table detection.

rsalvaterra · jow- · commit 7cc2a84d5fa2 · 2020-01-28T18:48:43.000+01:00
The flow table detection fails if the respective target module is
built into the kernel, since it's looking for the module itself.

Create a generic helper and instead check for existence of the
FLOWOFFLOAD target in /proc/net/ip_tables_targets.

Signed-off-by: Rui Salvaterra &lt;rsalvaterra@gmail.com&gt;
[slightly reword commit message]
Signed-off-by: Jo-Philipp Wich &lt;jo@mein.io&gt;
diff --git a/defaults.c b/defaults.c
@@ -85,26 +85,14 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name)
 }
 
 static void
-check_kmod(struct uci_element *e, bool *module, const char *name)
+check_target(struct uci_element *e, bool *available, const char *target, const bool ipv6)
 {
-	FILE *f;
-	char buf[128];
-
-	if (!*module)
-		return;
-
-	snprintf(buf, sizeof(buf), "/sys/module/%s/refcnt", name);
-
-	f = fopen(buf, "r");
-
-	if (f)
+	const bool b = fw3_has_target(ipv6, target);
+	if (!b)
 	{
-		fclose(f);
-		return;
+		warn_elem(e, "requires unavailable target extension %s, disabling", target);
 	}
-
-	warn_elem(e, "requires not available kernel module %s, disabling", name);
-	*module = false;
+	*available = b;
 }
 
 static void
@@ -171,7 +159,8 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 
 		check_any_reject_code(e, &defs->any_reject_code);
 
-		check_kmod(e, &defs->flow_offloading, "xt_FLOWOFFLOAD");
+		/* exists in both ipv4 and ipv6, if at all, so only check ipv4 */
+		check_target(e, &defs->flow_offloading, "FLOWOFFLOAD", false);
 	}
 }
 
diff --git a/utils.c b/utils.c
@@ -344,6 +344,33 @@ fw3_has_table(bool ipv6, const char *table)
 	return seen;
 }
 
+bool
+fw3_has_target(const bool ipv6, const char *target)
+{
+	FILE *f;
+
+	char line[12];
+	bool seen = false;
+
+	const char *path = ipv6
+		? "/proc/net/ip6_tables_targets" : "/proc/net/ip_tables_targets";
+
+	if (!(f = fopen(path, "r")))
+		return false;
+
+	while (fgets(line, sizeof(line), f))
+	{
+		if (!strcmp(line, target))
+		{
+			seen = true;
+			break;
+		}
+	}
+
+	fclose(f);
+
+	return seen;
+}
 
 bool
 fw3_lock_path(int *fd, const char *path)
diff --git a/utils.h b/utils.h
@@ -105,6 +105,8 @@ void fw3_pr(const char *fmt, ...)
 
 bool fw3_has_table(bool ipv6, const char *table);
 
+bool fw3_has_target(const bool ipv6, const char *target);
+
 bool fw3_lock(void);
 void fw3_unlock(void);
 bool fw3_lock_path(int *fw3_lock_fd, const char *path);

Original file line number	Diff line number	Diff line change
`@@ -85,26 +85,14 @@ check_policy(struct uci_element e, enum fw3_flag pol, const char *name)`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`static void`
`88`		`-check_kmod(struct uci_element e, bool module, const char *name)`
	`88`	`+check_target(struct uci_element e, bool available, const char *target, const bool ipv6)`
`89`	`89`	`{`
`90`		`- FILE *f;`
`91`		`- char buf[128];`
`92`		`-`
`93`		`- if (!*module)`
`94`		`- return;`
`95`		`-`
`96`		`- snprintf(buf, sizeof(buf), "/sys/module/%s/refcnt", name);`
`97`		`-`
`98`		`- f = fopen(buf, "r");`
`99`		`-`
`100`		`- if (f)`
	`90`	`+ const bool b = fw3_has_target(ipv6, target);`
	`91`	`+ if (!b)`
`101`	`92`	`{`
`102`		`- fclose(f);`
`103`		`- return;`
	`93`	`+ warn_elem(e, "requires unavailable target extension %s, disabling", target);`
`104`	`94`	`}`
`105`		`-`
`106`		`- warn_elem(e, "requires not available kernel module %s, disabling", name);`
`107`		`- *module = false;`
	`95`	`+ *available = b;`
`108`	`96`	`}`
`109`	`97`
`110`	`98`	`static void`
`@@ -171,7 +159,8 @@ fw3_load_defaults(struct fw3_state state, struct uci_package p)`
`171`	`159`
`172`	`160`	`check_any_reject_code(e, &defs->any_reject_code);`
`173`	`161`
`174`		`- check_kmod(e, &defs->flow_offloading, "xt_FLOWOFFLOAD");`
	`162`	`+ /* exists in both ipv4 and ipv6, if at all, so only check ipv4 */`
	`163`	`+ check_target(e, &defs->flow_offloading, "FLOWOFFLOAD", false);`
`175`	`164`	`}`
`176`	`165`	`}`
`177`	`166`