src: add `flush ruleset'

This patch adds the `flush ruleset' operation to nft.

The syntax is:
 % nft flush ruleset [family]

To flush all the ruleset (all families):
 % nft flush ruleset

To flush the ruleset of a given family:
 % nft flush ruleset ip
 % nft flush ruleset inet

This flush is a shortcut operation which deletes all rules, sets, tables
and chains.
It's possible since the modifications in the kernel to the NFT_MSG_DELTABLE
API call.

Users can benefit of this operation when doing an atomic replacement of the
entire ruleset, loading a file like this:

 =========
 flush ruleset
 table ip filter {
 	chain input {
		counter accept
	}
 }
 =========

Also, users who want to simply clean the ruleset for whatever reason can do it now
without having to iterate families/tables.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/netlink.h b/include/netlink.h
index d7d5c2d1719c7e99eb1a1457026294434cdfda56..f611452f4a77817e3db8b8a7ffbc5b9730cf2ede 100644 (file)
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -144,6 +144,10 @@ extern int netlink_io_error(struct netlink_ctx *ctx,
                            const struct location *loc, const char *fmt, ...);
 extern void netlink_open_error(void) __noreturn;
 
+extern int netlink_flush_ruleset(struct netlink_ctx *ctx,
+                                const struct handle *h,
+                                const struct location *loc);
+
 extern struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
                                                const struct handle *h,
                                                const struct location *loc);

diff --git a/src/netlink.c b/src/netlink.c
index 102f799a514f034b81f703e30e3e467bab5af6d9..7d3e71ff1a03963c4dfafe184f72b290c8c52a5f 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1444,6 +1444,28 @@ int netlink_batch_send(struct list_head *err_list)
        return mnl_batch_talk(nf_sock, err_list);
 }
 
+int netlink_flush_ruleset(struct netlink_ctx *ctx, const struct handle *h,
+                         const struct location *loc)
+{
+       int err;
+       struct nft_table *nlt;
+
+       if (!ctx->batch_supported) {
+               netlink_io_error(ctx, loc, "Operation not supported.");
+               return -1;
+       }
+
+       nlt = alloc_nft_table(h);
+       err = mnl_nft_table_batch_del(nf_sock, nlt, 0, ctx->seqnum);
+       nft_table_free(nlt);
+
+       if (err < 0)
+               netlink_io_error(ctx, loc, "Could not flush the ruleset: %s",
+                                strerror(errno));
+
+       return err;
+}
+
 struct nft_ruleset *netlink_dump_ruleset(struct netlink_ctx *ctx,
                                         const struct handle *h,
                                         const struct location *loc)

diff --git a/src/parser.y b/src/parser.y
index a4ccf732cf4b20bd7b709d2b08d6e28a5c335959..aa40f905222685620bd446414ca6f90d5ef0ec95 100644 (file)
--- a/src/parser.y
+++ b/src/parser.y
@@ -187,6 +187,7 @@ static int monitor_lookup_event(const char *event)
 %token ELEMENT                 "element"
 %token MAP                     "map"
 %token HANDLE                  "handle"
+%token RULESET                 "ruleset"
 
 %token INET                    "inet"
 
@@ -397,11 +398,11 @@ static int monitor_lookup_event(const char *event)
 %type <cmd>                    base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd
 %destructor { cmd_free($$); }  base_cmd add_cmd create_cmd insert_cmd delete_cmd list_cmd flush_cmd rename_cmd export_cmd monitor_cmd
 
-%type <handle>                 table_spec tables_spec chain_spec chain_identifier ruleid_spec
-%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec
+%type <handle>                 table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec
+%destructor { handle_free(&$$); } table_spec tables_spec chain_spec chain_identifier ruleid_spec ruleset_spec
 %type <handle>                 set_spec set_identifier
 %destructor { handle_free(&$$); } set_spec set_identifier
-%type <val>                    handle_spec family_spec position_spec
+%type <val>                    handle_spec family_spec family_spec_explicit position_spec
 
 %type <table>                  table_block_alloc table_block
 %destructor { close_scope(state); table_free($$); }    table_block_alloc
@@ -775,6 +776,10 @@ flush_cmd          :       TABLE           table_spec
                        {
                                $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_SET, &$2, &@$, NULL);
                        }
+                       |       RULESET         ruleset_spec
+                       {
+                               $$ = cmd_alloc(CMD_FLUSH, CMD_OBJ_RULESET, &$2, &@$, NULL);
+                       }
                        ;
 
 rename_cmd             :       CHAIN           chain_spec      identifier
@@ -1164,8 +1169,11 @@ string                   :       STRING
                        |       QUOTED_STRING
                        ;
 
-family_spec            :       /* empty */     { $$ = NFPROTO_IPV4; }
-                       |       IP              { $$ = NFPROTO_IPV4; }
+family_spec            :       /* empty */             { $$ = NFPROTO_IPV4; }
+                       |       family_spec_explicit
+                       ;
+
+family_spec_explicit   :       IP              { $$ = NFPROTO_IPV4; }
                        |       IP6             { $$ = NFPROTO_IPV6; }
                        |       INET            { $$ = NFPROTO_INET; }
                        |       ARP             { $$ = NFPROTO_ARP; }
@@ -1254,6 +1262,18 @@ comment_spec             :       /* empty */
                        }
                        ;
 
+ruleset_spec           :       /* empty */
+                       {
+                               memset(&$$, 0, sizeof($$));
+                               $$.family       = NFPROTO_UNSPEC;
+                       }
+                       |       family_spec_explicit
+                       {
+                               memset(&$$, 0, sizeof($$));
+                               $$.family       = $1;
+                       }
+                       ;
+
 rule                   :       stmt_list       comment_spec
                        {
                                struct stmt *i;

diff --git a/src/rule.c b/src/rule.c
index 1e54526052510109b3f572e7edaa502d26786863..cb2a2285454659900121c7d996e08cba2090a36d 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -820,6 +820,8 @@ static int do_command_flush(struct netlink_ctx *ctx, struct cmd *cmd)
                return netlink_flush_table(ctx, &cmd->handle, &cmd->location);
        case CMD_OBJ_CHAIN:
                return netlink_flush_chain(ctx, &cmd->handle, &cmd->location);
+       case CMD_OBJ_RULESET:
+               return netlink_flush_ruleset(ctx, &cmd->handle, &cmd->location);
        default:
                BUG("invalid command object type %u\n", cmd->obj);
        }

diff --git a/src/scanner.l b/src/scanner.l
index 929dbf6e45c593a76f28b74f3c89e11e660a0bb3..601ea3c13182316afb0562697c35c4cec3e365d8 100644 (file)
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -240,6 +240,7 @@ addrstring  ({macaddr}|{ip4addr}|{ip6addr})
 "element"              { return ELEMENT; }
 "map"                  { return MAP; }
 "handle"               { return HANDLE; }
+"ruleset"              { return RULESET; }
 
 "accept"               { return ACCEPT; }
 "drop"                 { return DROP; }