feat: safe creation of a base chain #64

my4ng · 2024-06-07T03:48:56Z

As explained in the doc comments, this adds multiple checks to ensure that the base chains are in fact valid to set. Currently, the set_hook and set_type are separate and cannot check compatibility as a whole. This PR aims to forbid setting any invalid base chain, as defined in the nftables documentation, to provide greater safety and prevent UB. This is achieved through the BaseChainSetter, which is reusable and modifiable.

Example:

let setter = BaseChainSetter::new()
   .chain_type(ChainType::Nat)
   .hook(Hook::PreRouting)
   .priority(Priority::Integral(0));

let result = setter.try_set(&mut chain);

assert_eq!(result, Ok(()));

let setter = setter.hook(Hook::Forward);
let result = setter.try_set(&mut chain);

// NAT type **cannot** be used with forward hook, hence failed with `InvalidCombination`.
assert_eq!(result, Err(BaseChainError::InvalidCombination));

It also adds related error type BaseChainError and named/offset priority Priority.

This change is

Add `BaseChainSetter` which checks and prevents invalid configurations of base chains through the `try_set` function. `Err(BaseChainError)` is returned in case of failed checks. Add `Priority` struct which allows and checks named/offset priorities through `PriorityName`.

my4ng force-pushed the base-chain branch from 1d217d9 to 9e3c86d Compare June 8, 2024 10:51

faern force-pushed the main branch from 20a7b42 to e51fe76 Compare June 18, 2024 07:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: safe creation of a base chain #64

feat: safe creation of a base chain #64

my4ng commented Jun 7, 2024 •

edited

Loading

feat: safe creation of a base chain #64

Are you sure you want to change the base?

feat: safe creation of a base chain #64

Conversation

my4ng commented Jun 7, 2024 • edited Loading

my4ng commented Jun 7, 2024 •

edited

Loading