From: Pablo Neira Ayuso Date: Fri, 6 Dec 2013 09:24:20 +0000 (+0100) Subject: src: fix rule flushing atomically X-Git-Tag: v0.099~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2eb1c30d55f1433e11275f85a97d3694188ecc40;p=thirdparty%2Fnftables.git src: fix rule flushing atomically nft is currently retrieving the list of rule from the kernel, then deleting each rule one by one. This is slow and not safe. Fix it by sending a deletion command in a batch without specifying the chain. This change requires the kernel fix entitled: netfilter: nf_tables: fix missing rules flushing per table Signed-off-by: Pablo Neira Ayuso --- diff --git a/src/netlink.c b/src/netlink.c index 533634af..cab8cf4b 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -422,43 +422,10 @@ static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h, return 0; } -static int flush_rule_cb(struct nft_rule *nlr, void *arg) -{ - struct netlink_ctx *ctx = arg; - const struct handle *h = ctx->data; - int err; - - if ((h->table && - strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE), h->table) != 0) || - (h->chain && - strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN), h->chain) != 0)) - return 0; - - netlink_dump_rule(nlr); - err = mnl_nft_rule_batch_del(nlr, 0, ctx->seqnum); - if (err < 0) { - netlink_io_error(ctx, NULL, "Could not delete rule: %s", - strerror(errno)); - return err; - } - return 0; -} - static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc) { - struct nft_rule_list *rule_cache; - - rule_cache = mnl_nft_rule_dump(nf_sock, h->family); - if (rule_cache == NULL) - return netlink_io_error(ctx, loc, - "Could not receive rules from kernel: %s", - strerror(errno)); - - ctx->data = h; - nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx); - nft_rule_list_free(rule_cache); - return 0; + return netlink_del_rule_batch(ctx, h, loc); } void netlink_dump_chain(struct nft_chain *nlc)