cache: honor -c/--check for reset commands

Currently:

  nft -c reset rules ip x

ignores -c/--check.

The reset and list commands use the netlink GET/DUMP nfnetlink API which
provides no check semantics, compared to the NEW/DELETE nfnetlink batch
API which indeed does.

Emulate -c/--check for the reset command by handling this as a list
command, so the state of the objects is just listed, not reset. This
allows to check for presence and dump the content of the objects.

Fixes: dbff26bfba83 ("cache: consolidate reset command")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/cache.c b/src/cache.c
index bad8275326c76261d741522184f7379ee817c33a..75b4877d83cb922f56667d3657aead68005b6fbb 100644 (file)
--- a/src/cache.c
+++ b/src/cache.c
@@ -516,7 +516,10 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
                        flags = evaluate_cache_get(cmd, flags);
                        break;
                case CMD_RESET:
-                       flags = evaluate_cache_reset(cmd, flags, filter);
+                       if (nft->check)
+                               flags = evaluate_cache_list(nft, cmd, flags, filter);
+                       else
+                               flags = evaluate_cache_reset(cmd, flags, filter);
                        break;
                case CMD_LIST:
                        flags = evaluate_cache_list(nft, cmd, flags, filter);