src: add support to flush sets

You can use this new command to remove all existing elements in a set:

 # nft flush set filter xyz

After this command, the set 'xyz' in table 'filter' becomes empty.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/netlink.h b/include/netlink.h
index 28c11f603ed20ea45606f0b19f8e075af426ebc4..363b5251968f3d32d715293c2cc57240e42232bd 100644 (file)
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -165,6 +165,8 @@ extern int netlink_delete_setelems(struct netlink_ctx *ctx, const struct handle
                                   const struct expr *expr);
 extern int netlink_get_setelems(struct netlink_ctx *ctx, const struct handle *h,
                                const struct location *loc, struct set *set);
+extern int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h,
+                                 const struct location *loc);
 
 extern void netlink_dump_table(const struct nftnl_table *nlt);
 extern void netlink_dump_chain(const struct nftnl_chain *nlc);

diff --git a/src/evaluate.c b/src/evaluate.c
index e11a455a5f53aa259b6e20d89b439b85eca30b3e..8a3da54e5b2d56326bb5f24391ee09f98440051b 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2857,9 +2857,11 @@ static int cmd_evaluate_list(struct eval_ctx *ctx, struct cmd *cmd)
 static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
 {
        int ret;
+
        ret = cache_update(cmd->op, ctx->msgs);
        if (ret < 0)
                return ret;
+
        switch (cmd->obj) {
        case CMD_OBJ_RULESET:
                cache_flush();
@@ -2870,6 +2872,7 @@ static int cmd_evaluate_flush(struct eval_ctx *ctx, struct cmd *cmd)
                 */
        case CMD_OBJ_CHAIN:
                /* Chains don't hold sets */
+       case CMD_OBJ_SET:
                break;
        default:
                BUG("invalid command object type %u\n", cmd->obj);

diff --git a/src/netlink.c b/src/netlink.c
index f8e600ff6f8117939995baa77418254d5ca952db..714df4e892b249c6b64cc7877c76cc16b0f58d44 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1374,7 +1374,8 @@ static int netlink_del_setelems_batch(struct netlink_ctx *ctx,
        int err;
 
        nls = alloc_nftnl_set(h);
-       alloc_setelem_cache(expr, nls);
+       if (expr)
+               alloc_setelem_cache(expr, nls);
        netlink_dump_set(nls);
 
        err = mnl_nft_setelem_batch_del(nls, 0, ctx->seqnum);
@@ -1406,6 +1407,12 @@ static int netlink_del_setelems_compat(struct netlink_ctx *ctx,
        return err;
 }
 
+int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h,
+                          const struct location *loc)
+{
+       return netlink_del_setelems_batch(ctx, h, NULL);
+}
+
 static struct expr *netlink_parse_concat_elem(const struct datatype *dtype,
                                              struct expr *data)
 {

diff --git a/src/rule.c b/src/rule.c
index 8710767bc33083214dd1e774875292b9af4a8091..f1bb6cfe04ea46a1052884f2b3580f6e4a9d001f 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1244,6 +1244,9 @@ static int do_command_flush(struct netlink_ctx *ctx, struct cmd *cmd)
                return netlink_flush_table(ctx, &cmd->handle, &cmd->location);
        case CMD_OBJ_CHAIN:
                return netlink_flush_chain(ctx, &cmd->handle, &cmd->location);
+       case CMD_OBJ_SET:
+               return netlink_flush_setelems(ctx, &cmd->handle,
+                                             &cmd->location);
        case CMD_OBJ_RULESET:
                return netlink_flush_ruleset(ctx, &cmd->handle, &cmd->location);
        default: