[iptables-nftables PATCH 1/2] xtables: arp: add delete operation

[iptables-nftables PATCH 1/2] xtables: arp: add delete operation

[Giuseppe Longo]

The following patch permit to delete the rules specifying
an entry or a rule number.

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 iptables/xtables-arp.c |   33 ++++++++++++++++++++++++++++-----
 1 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 8dfdf63..4537a58 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -911,6 +911,30 @@ replace_entry(const char *chain,
 	return nft_rule_replace(h, chain, table, fw, rulenum, verbose);
 }
 
+static int
+delete_entry(const char *chain,
+	     const char *table,
+	     struct arpt_entry *fw,
+	     unsigned int nsaddrs,
+	     const struct in_addr saddrs[],
+	     unsigned int ndaddrs,
+	     const struct in_addr daddrs[],
+	     bool verbose, struct nft_handle *h)
+{
+	unsigned int i, j;
+	int ret = 1;
+
+	for (i = 0; i < nsaddrs; i++) {
+		fw->arp.src.s_addr = saddrs[i].s_addr;
+		for (j = 0; j < ndaddrs; j++) {
+			fw->arp.tgt.s_addr = daddrs[j].s_addr;
+			ret = nft_rule_delete(h, chain, table, fw, verbose);
+		}
+	}
+
+	return ret;
+}
+
 int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
 {
 	struct arpt_entry fw, *e = NULL;
@@ -1402,13 +1426,12 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
 				   options&OPT_VERBOSE, true);
 		break;
 	case CMD_DELETE:
-		/*ret = delete_entry(chain, e,
-					nsaddrs, saddrs, ndaddrs, daddrs,
-					options&OPT_VERBOSE,
-					handle);*/
+		ret = delete_entry(chain, *table, e,
+				   nsaddrs, saddrs, ndaddrs, daddrs,
+				   options&OPT_VERBOSE, h);
 		break;
 	case CMD_DELETE_NUM:
-		/*ret = arptc_delete_num_entry(chain, rulenum - 1, handle);*/
+		ret = nft_rule_delete_num(h, chain, *table, rulenum - 1, verbose);
 		break;
 	case CMD_REPLACE:
 		ret = replace_entry(chain, *table, e, rulenum - 1,
-- 
1.7.8.6

[iptables-nftables PATCH 2/2] xtables: arp: zeroing chain counters

[Giuseppe Longo]

This small patch permit to reset the chain counters.

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 iptables/xtables-arp.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 4537a58..2f43ce8 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1462,9 +1462,8 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
 				   options&OPT_NUMERIC,
 				   /*options&OPT_EXPANDED*/0,
 				   options&OPT_LINENUMBERS);
-		/*if (ret)
-			ret = zero_entries(chain,
-						options&OPT_VERBOSE, handle);*/
+		if (ret && (command & CMD_ZERO))
+			ret = nft_chain_zero_counters(h, chain, *table);
 		break;
 	case CMD_NEW_CHAIN:
 		ret = nft_chain_user_add(h, chain, *table);
-- 
1.7.8.6

Re: [iptables-nftables PATCH 2/2] xtables: arp: zeroing chain counters

[Pablo Neira Ayuso]

On Sun, Sep 22, 2013 at 10:18:56AM +0200, Giuseppe Longo wrote:
> This small patch permit to reset the chain counters.

Applied with minor change.

> Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
> ---
>  iptables/xtables-arp.c |    5 ++---
>  1 files changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
> index 4537a58..2f43ce8 100644
> --- a/iptables/xtables-arp.c
> +++ b/iptables/xtables-arp.c
> @@ -1462,9 +1462,8 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table)
>  				   options&OPT_NUMERIC,
>  				   /*options&OPT_EXPANDED*/0,
>  				   options&OPT_LINENUMBERS);
> -		/*if (ret)
> -			ret = zero_entries(chain,
> -						options&OPT_VERBOSE, handle);*/
> +		if (ret && (command & CMD_ZERO))
                        ^---------------------^

that seems redundant, we already checked for this above.

Mangled and applied, thanks.

Re: [iptables-nftables PATCH 1/2] xtables: arp: add delete operation

[Pablo Neira Ayuso]

On Sun, Sep 22, 2013 at 10:18:55AM +0200, Giuseppe Longo wrote:
> The following patch permit to delete the rules specifying
> an entry or a rule number.

Applied, thanks.