netlink: only flush asked table/chain

The flush operation was not limiting the flush to the table or
chain specified on command line. The result was that all the rules
for a given family are flush independantly of the flush command.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink.c b/src/netlink.c
index 6f3002bcc1a25bfc207cdd73d66e05cce9ee353f..f75cef763610a856445bb1130e8f605c504a7c3b 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -425,8 +425,15 @@ static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h,
 static int flush_rule_cb(struct nft_rule *nlr, void *arg)
 {
        struct netlink_ctx *ctx = arg;
+       const struct handle *h = ctx->data;
        int err;
 
+       if ((h->table &&
+           strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE), h->table) != 0) ||
+           (h->chain &&
+            strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN), h->chain) != 0))
+               return 0;
+
        netlink_dump_rule(nlr);
        err = mnl_nft_rule_batch_del(nlr, 0, ctx->seqnum);
        if (err < 0) {
@@ -448,6 +455,7 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h,
                                        "Could not receive rules from kernel: %s",
                                        strerror(errno));
 
+       ctx->data = h;
        mnl_batch_begin();
        nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx);
        nft_rule_list_free(rule_cache);