Re: [nft PATCH] mnl: Improve error checking in mnl_nft_event_listener()

2018-10-24 Thread Phil Sutter 
Hi Pablo,

On Wed, Oct 24, 2018 at 06:35:45PM +0200, Pablo Neira Ayuso wrote:
> On Wed, Oct 24, 2018 at 06:05:55PM +0200, Phil Sutter wrote:
> > When trying to adjust receive buffer size, the second call to
> > setsockopt() was not error-checked.
> > 
> > Signed-off-by: Phil Sutter 
> > ---
> >  src/mnl.c | 7 +--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/src/mnl.c b/src/mnl.c
> > index 2be8ca14e50da..0d9b7ffc85c76 100644
> > --- a/src/mnl.c
> > +++ b/src/mnl.c
> > @@ -1425,8 +1425,11 @@ int mnl_nft_event_listener(struct mnl_socket 
> > *nf_sock, unsigned int debug_mask,
> >  */
> > ret = setsockopt(fd, SOL_SOCKET, SO_RCVBUF, ,
> >  sizeof(socklen_t));
> > -   nft_print(octx, "# Cannot set up netlink socket buffer size to 
> > %u bytes, falling back to %u bytes\n",
> > - NFTABLES_NLEVENT_BUFSIZ, bufsiz);
> > +   if (ret < 0)
> > +   nft_print(octx, "# Cannot increase netlink socket 
> > buffer size, expect message loss\n");
> > +   else
> > +   nft_print(octx, "# Cannot set up netlink socket buffer 
> > size to %u bytes, falling back to %u bytes\n",
> > + NFTABLES_NLEVENT_BUFSIZ, bufsiz);
> 
> Looks good.
> 
> Are you hitting this error message? With a large ruleset?

No, this originated from a covscan report complaining about the unused
assignment of 'ret' variable. Instead of eliminating the assignment, I
decided to make use of it instead.

Cheers, Phil

Re: [nft PATCH] mnl: Improve error checking in mnl_nft_event_listener()

2018-10-24 Thread Pablo Neira Ayuso 
On Wed, Oct 24, 2018 at 06:05:55PM +0200, Phil Sutter wrote:
> When trying to adjust receive buffer size, the second call to
> setsockopt() was not error-checked.
> 
> Signed-off-by: Phil Sutter 
> ---
>  src/mnl.c | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/src/mnl.c b/src/mnl.c
> index 2be8ca14e50da..0d9b7ffc85c76 100644
> --- a/src/mnl.c
> +++ b/src/mnl.c
> @@ -1425,8 +1425,11 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock, 
> unsigned int debug_mask,
>*/
>   ret = setsockopt(fd, SOL_SOCKET, SO_RCVBUF, ,
>sizeof(socklen_t));
> - nft_print(octx, "# Cannot set up netlink socket buffer size to 
> %u bytes, falling back to %u bytes\n",
> -   NFTABLES_NLEVENT_BUFSIZ, bufsiz);
> + if (ret < 0)
> + nft_print(octx, "# Cannot increase netlink socket 
> buffer size, expect message loss\n");
> + else
> + nft_print(octx, "# Cannot set up netlink socket buffer 
> size to %u bytes, falling back to %u bytes\n",
> +   NFTABLES_NLEVENT_BUFSIZ, bufsiz);

Looks good.

Are you hitting this error message? With a large ruleset?

[nft PATCH] mnl: Improve error checking in mnl_nft_event_listener()

2018-10-24 Thread Phil Sutter 
When trying to adjust receive buffer size, the second call to
setsockopt() was not error-checked.

Signed-off-by: Phil Sutter 
---
 src/mnl.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 2be8ca14e50da..0d9b7ffc85c76 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1425,8 +1425,11 @@ int mnl_nft_event_listener(struct mnl_socket *nf_sock, 
unsigned int debug_mask,
 */
ret = setsockopt(fd, SOL_SOCKET, SO_RCVBUF, ,
 sizeof(socklen_t));
-   nft_print(octx, "# Cannot set up netlink socket buffer size to 
%u bytes, falling back to %u bytes\n",
- NFTABLES_NLEVENT_BUFSIZ, bufsiz);
+   if (ret < 0)
+   nft_print(octx, "# Cannot increase netlink socket 
buffer size, expect message loss\n");
+   else
+   nft_print(octx, "# Cannot set up netlink socket buffer 
size to %u bytes, falling back to %u bytes\n",
+ NFTABLES_NLEVENT_BUFSIZ, bufsiz);
}
 
while (1) {
-- 
2.19.0