From: "Christian Göttsche" <cgzones@googlemail.com>
To: netfilter-devel@vger.kernel.org
Subject: [RFC 4/4] src: add ability to reset secmarks
Date: Wed, 20 Nov 2019 18:43:57 +0100 [thread overview]
Message-ID: <20191120174357.26112-4-cgzones@googlemail.com> (raw)
In-Reply-To: <20191120174357.26112-1-cgzones@googlemail.com>
Add the ability to reset secmark associations between the user-end string representation and the kernel intern secid.
This allows a lightweight reset, without reloading the whole configuration and resetting all counters etc. .
*TODO*:
Pablo suggested to drop this change.
Are the actual objects in the kernel not destroyed and recreated?
Or is this functionality useless?
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
src/evaluate.c | 2 ++
src/parser_bison.y | 12 ++++++++++++
src/rule.c | 6 ++++++
3 files changed, 20 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 740d3c30..cebc33d3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3982,8 +3982,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
+ case CMD_OBJ_SECMARK:
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
+ case CMD_OBJ_SECMARKS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 707f4671..eb767547 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1375,6 +1375,18 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
+ | SECMARKS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+ }
+ | SECMARKS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+ }
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
;
flush_cmd : TABLE table_spec
diff --git a/src/rule.c b/src/rule.c
index 4abc13c9..08b04827 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_QUOTA:
type = NFT_OBJECT_QUOTA;
break;
+ case CMD_OBJ_SECMARKS:
+ dump = true;
+ /* fall through */
+ case CMD_OBJ_SECMARK:
+ type = NFT_OBJECT_SECMARK;
+ break;
default:
BUG("invalid command object type %u\n", cmd->obj);
}
--
2.24.0
next prev parent reply other threads:[~2019-11-20 17:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 17:43 [RFC 1/4] statement: make secmark statements idempotent Christian Göttsche
2019-11-20 17:43 ` [RFC 2/4] src: add ability to set/get secmarks to/from connection Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-21 13:27 ` Pablo Neira Ayuso
2019-11-20 17:43 ` [RFC 3/4] files: add example secmark config Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-20 17:43 ` Christian Göttsche [this message]
2019-11-21 13:08 ` [RFC 4/4] src: add ability to reset secmarks Pablo Neira Ayuso
2019-11-21 13:05 ` [RFC 1/4] statement: make secmark statements idempotent Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191120174357.26112-4-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).