* [nftables PATCH 0/4] fix rule flush operation
@ 2013-10-02 23:08 Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 1/4] mnl: fix typo in comment Eric Leblond
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Eric Leblond @ 2013-10-02 23:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric, pablo
Hello,
Here's a small patchset which fixes rule flushing. A command
like:
nft flush table ip6 nat
was not flushing the rules at all. Patch 4 fixes the problem
and patch 3 limit the scope of the flush which was not limited.
Patchset statistics:
src/mnl.c | 2 +-
src/netlink.c | 13 ++++++++-----
2 files changed, 9 insertions(+), 6 deletions(-)
BR,
--
Eric Leblond
^ permalink raw reply [flat|nested] 6+ messages in thread
* [nftables PATCH 1/4] mnl: fix typo in comment
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
@ 2013-10-02 23:08 ` Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 2/4] netlink: suppress useless variable Eric Leblond
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2013-10-02 23:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric, pablo
Signed-off-by: Eric Leblond <eric@regit.org>
---
src/mnl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/mnl.c b/src/mnl.c
index bec4218..27b181a 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -249,7 +249,7 @@ int mnl_batch_talk(struct mnl_socket *nl, struct list_head *err_list)
goto err;
ret = mnl_cb_run(rcv_buf, ret, 0, portid, NULL, NULL);
- /* Continue on error, make sure we get all acknoledgments */
+ /* Continue on error, make sure we get all acknowledgments */
if (ret == -1)
mnl_err_list_node_add(err_list, errno, nlh->nlmsg_seq);
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [nftables PATCH 2/4] netlink: suppress useless variable
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 1/4] mnl: fix typo in comment Eric Leblond
@ 2013-10-02 23:08 ` Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 3/4] netlink: only flush asked table/chain Eric Leblond
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2013-10-02 23:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric, pablo
Signed-off-by: Eric Leblond <eric@regit.org>
---
src/netlink.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index b1e44ad..6f3002b 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -441,7 +441,6 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h,
const struct location *loc)
{
struct nft_rule_list *rule_cache;
- struct nft_rule *nlr;
rule_cache = mnl_nft_rule_dump(nf_sock, h->family);
if (rule_cache == NULL)
@@ -450,9 +449,7 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h,
strerror(errno));
mnl_batch_begin();
- nlr = alloc_nft_rule(h);
nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx);
- nft_rule_free(nlr);
nft_rule_list_free(rule_cache);
mnl_batch_end();
return 0;
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [nftables PATCH 3/4] netlink: only flush asked table/chain
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 1/4] mnl: fix typo in comment Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 2/4] netlink: suppress useless variable Eric Leblond
@ 2013-10-02 23:08 ` Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 4/4] netlink: fix nft flush operation Eric Leblond
2013-10-03 11:22 ` [nftables PATCH 0/4] fix rule " Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2013-10-02 23:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric, pablo
The flush operation was not limiting the flush to the table or
chain specified on command line. The result was that all the rules
for a given family are flush independantly of the flush command.
Signed-off-by: Eric Leblond <eric@regit.org>
---
src/netlink.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/netlink.c b/src/netlink.c
index 6f3002b..f75cef7 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -425,8 +425,15 @@ static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h,
static int flush_rule_cb(struct nft_rule *nlr, void *arg)
{
struct netlink_ctx *ctx = arg;
+ const struct handle *h = ctx->data;
int err;
+ if ((h->table &&
+ strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE), h->table) != 0) ||
+ (h->chain &&
+ strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN), h->chain) != 0))
+ return 0;
+
netlink_dump_rule(nlr);
err = mnl_nft_rule_batch_del(nlr, 0, ctx->seqnum);
if (err < 0) {
@@ -448,6 +455,7 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h,
"Could not receive rules from kernel: %s",
strerror(errno));
+ ctx->data = h;
mnl_batch_begin();
nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx);
nft_rule_list_free(rule_cache);
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [nftables PATCH 4/4] netlink: fix nft flush operation
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
` (2 preceding siblings ...)
2013-10-02 23:08 ` [nftables PATCH 3/4] netlink: only flush asked table/chain Eric Leblond
@ 2013-10-02 23:08 ` Eric Leblond
2013-10-03 11:22 ` [nftables PATCH 0/4] fix rule " Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Eric Leblond @ 2013-10-02 23:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: eric, pablo
nft_netlink function is already calling mnl_batch_end and
mnl_batch_begin so it is not necessary to do it in the
netlink_flush_rules function. Doing this result in a invalid
netlink message which is discarded by the kernel.
Signed-off-by: Eric Leblond <eric@regit.org>
---
src/netlink.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/netlink.c b/src/netlink.c
index f75cef7..a62c357 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -456,10 +456,8 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h,
strerror(errno));
ctx->data = h;
- mnl_batch_begin();
nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx);
nft_rule_list_free(rule_cache);
- mnl_batch_end();
return 0;
}
--
1.8.4.rc3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [nftables PATCH 0/4] fix rule flush operation
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
` (3 preceding siblings ...)
2013-10-02 23:08 ` [nftables PATCH 4/4] netlink: fix nft flush operation Eric Leblond
@ 2013-10-03 11:22 ` Pablo Neira Ayuso
4 siblings, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2013-10-03 11:22 UTC (permalink / raw)
To: Eric Leblond; +Cc: netfilter-devel
On Thu, Oct 03, 2013 at 01:08:04AM +0200, Eric Leblond wrote:
>
> Hello,
>
> Here's a small patchset which fixes rule flushing. A command
> like:
> nft flush table ip6 nat
> was not flushing the rules at all. Patch 4 fixes the problem
> and patch 3 limit the scope of the flush which was not limited.
All applied, thanks Eric.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-10-03 11:22 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-10-02 23:08 [nftables PATCH 0/4] fix rule flush operation Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 1/4] mnl: fix typo in comment Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 2/4] netlink: suppress useless variable Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 3/4] netlink: only flush asked table/chain Eric Leblond
2013-10-02 23:08 ` [nftables PATCH 4/4] netlink: fix nft flush operation Eric Leblond
2013-10-03 11:22 ` [nftables PATCH 0/4] fix rule " Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).