flags |= NLM_F_REPLACE;
}
+ if (h->commit) {
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
+ NFT_RULE_F_COMMIT);
+ }
nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE,
h->family, flags, h->seq);
nft_rule_attr_set(r, NFT_RULE_ATTR_TABLE, (char *)table);
nft_rule_attr_set(r, NFT_RULE_ATTR_CHAIN, (char *)chain);
+ if (h->commit) {
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
+ NFT_RULE_F_COMMIT);
+ }
+
/* Delete all rules in this table + chain */
nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_DELRULE, h->family,
NLM_F_ACK, h->seq);
if (r != NULL) {
ret = 1;
+ if (h->commit) {
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
+ NFT_RULE_F_COMMIT);
+ }
DEBUGP("deleting rule\n");
__nft_rule_del(h, r);
} else
if (r != NULL) {
ret = 1;
+ if (h->commit) {
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
+ NFT_RULE_F_COMMIT);
+ }
DEBUGP("deleting rule by number %d\n", rulenum);
__nft_rule_del(h, r);
} else
(unsigned long long)
nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE));
+ if (h->commit) {
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_FLAGS,
+ NFT_RULE_F_COMMIT);
+ }
ret = nft_rule_add(h, chain, table, cs, true,
nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE),
verbose);
return 1;
}
+static int nft_action(struct nft_handle *h, int type)
+{
+ char buf[MNL_SOCKET_BUFFER_SIZE];
+ struct nlmsghdr *nlh;
+ uint32_t seq;
+ int ret;
+
+ nlh = mnl_nlmsg_put_header(buf);
+ nlh->nlmsg_type = (NFNL_SUBSYS_NFTABLES<< 8) | type;
+ nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ nlh->nlmsg_seq = seq = time(NULL);
+
+ struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
+ nfg->nfgen_family = AF_INET;
+ nfg->version = NFNETLINK_V0;
+ nfg->res_id = 0;
+
+ ret = mnl_talk(h, nlh, NULL, NULL);
+ if (ret < 0) {
+ if (errno != EEXIST)
+ perror("mnl-talk:nft_commit");
+ }
+ return ret;
+}
+
+int nft_commit(struct nft_handle *h)
+{
+ return nft_action(h, NFT_MSG_COMMIT);
+}
+
+int nft_abort(struct nft_handle *h)
+{
+ return nft_action(h, NFT_MSG_ABORT);
+}
+
int nft_compatible_revision(const char *name, uint8_t rev, int opt)
{
struct mnl_socket *nl;
struct mnl_socket *nl;
uint32_t portid;
uint32_t seq;
+ bool commit;
};
int nft_init(struct nft_handle *h);
int nft_rule_save(struct nft_handle *h, const char *table, bool counters);
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table);
+/*
+ * global commit and abort
+ */
+int nft_commit(struct nft_handle *h);
+int nft_abort(struct nft_handle *h);
+
/*
* revision compatibility.
*/
{
struct nft_handle h = {
.family = AF_INET, /* default to IPv4 */
+ .commit = true,
};
char buffer[10240];
int c;
continue;
} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
if (!testing) {
- if (nft_table_wake_dormant(&h, curtable) < 0) {
- fprintf(stderr, "Failed to wake up "
- "dormant table `%s'\n",
- curtable);
+ /* Commit per table, although we support
+ * global commit at once, stick by now to
+ * the existing behaviour.
+ */
+ if (nft_commit(&h)) {
+ fprintf(stderr, "Failed to commit "
+ "table %s\n",
+ curtable);
}
DEBUGP("Calling commit\n");
ret = 1;
if (tablename && (strcmp(tablename, table) != 0))
continue;
- nft_table_set_dormant(&h, table);
if (noflush == 0) {
DEBUGP("Cleaning all chains of table '%s'\n",
table);
DEBUGP("argv[%u]: %s\n", a, newargv[a]);
ret = do_commandx(&h, newargc, newargv, &newargv[2]);
+ if (ret < 0) {
+ ret = nft_abort(&h);
+ if (ret < 0) {
+ fprintf(stderr, "failed to abort "
+ "commit operation\n");
+ }
+ exit(1);
+ }
free_argv();
fflush(stdout);
projects / thirdparty / iptables.git / commitdiff
