[PATCH nft 1/2] rule: Introduce helper function cache_flush

[PATCH nft 1/2] rule: Introduce helper function cache_flush

[Anatole Denis]

cache_release empties the cache, and marks it as uninitialized. Add cache_flush,
which does the same, except it keeps the cache initialized, eg. after a "nft
flush ruleset" when empty is the correct state of the cache.

Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 include/rule.h | 1 +
 src/rule.c     | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/rule.h b/include/rule.h
index 99e92ee..b9b4a19 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -422,6 +422,7 @@ struct netlink_ctx;
 extern int do_command(struct netlink_ctx *ctx, struct cmd *cmd);
 
 extern int cache_update(enum cmd_ops cmd, struct list_head *msgs);
+extern void cache_flush(void);
 extern void cache_release(void);
 
 enum udata_type {
diff --git a/src/rule.c b/src/rule.c
index 8c58bfa..8710767 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -157,7 +157,7 @@ replay:
 	return 0;
 }
 
-void cache_release(void)
+void cache_flush(void)
 {
 	struct table *table, *next;
 
@@ -165,6 +165,11 @@ void cache_release(void)
 		list_del(&table->list);
 		table_free(table);
 	}
+}
+
+void cache_release(void)
+{
+	cache_flush();
 	cache_initialized = false;
 }
 
-- 
2.11.0

[PATCH nft 2/2] evaluate: Update cache on flush ruleset

[Anatole Denis]

After a flush, the cache should be empty, otherwise the cache and the expected
state are desynced, causing unwarranted errors. See
tests/shell/testcases/cache/0002_interval_0.

`flush table` and `flush chain` don't empty sets or destroy chains, so the cache
does not need an update in those cases, since only chain names and set contents
are held in cache for commands other than "list"

Reported-by: Leon Merten Lohse <leon@green-side.de>
Signed-off-by: Anatole Denis <anatole@rezel.net>
---
 src/evaluate.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index c841aaf..c75c140 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2854,6 +2854,29 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 	}
 }
 
+static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
+{
+	int ret;
+	ret = cache_update(cmd->op, ctx->msgs);
+	if (ret < 0)
+		return ret;
+	switch (cmd->obj) {
+	case CMD_OBJ_RULESET:
+		cache_flush();
+		break;
+	case CMD_OBJ_TABLE:
+		/* Flushing a table does not empty the sets in the table nor remove
+		 * any chains.
+		 */
+	case CMD_OBJ_CHAIN:
+		/* Chains don't hold sets */
+		break;
+	default:
+		BUG("invalid command object type %u\n", cmd->obj);
+	}
+	return 0;
+}
+
 static int cmd_evaluate_rename(struct eval_ctx *ctx, struct cmd *cmd)
 {
 	struct table *table;
@@ -3021,7 +3044,7 @@ int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
 	case CMD_LIST:
 		return cmd_evaluate_list(ctx, cmd);
 	case CMD_FLUSH:
-		return 0;
+		return cmd_evaluate_flush(ctx, cmd);
 	case CMD_RENAME:
 		return cmd_evaluate_rename(ctx, cmd);
 	case CMD_EXPORT:
-- 
2.11.0

Re: [PATCH nft 1/2] rule: Introduce helper function cache_flush

[Pablo Neira Ayuso]

On Thu, Dec 01, 2016 at 11:50:16AM +0100, Anatole Denis wrote:
> cache_release empties the cache, and marks it as uninitialized. Add cache_flush,
> which does the same, except it keeps the cache initialized, eg. after a "nft
> flush ruleset" when empty is the correct state of the cache.

Applied, thanks Anatole.

Re: [PATCH nft 2/2] evaluate: Update cache on flush ruleset

[Pablo Neira Ayuso]

On Thu, Dec 01, 2016 at 11:50:17AM +0100, Anatole Denis wrote:
> After a flush, the cache should be empty, otherwise the cache and the expected
> state are desynced, causing unwarranted errors. See
> tests/shell/testcases/cache/0002_interval_0.
> 
> `flush table` and `flush chain` don't empty sets or destroy chains, so the cache
> does not need an update in those cases, since only chain names and set contents
> are held in cache for commands other than "list"

Also applied, thanks.