With this patch, nft asks the kernel for deleting all rules in a chain.
This replaces the current behaviour that requires to dump all the rules,
then iterate over that list to delete one by one, which is prone to races
and slowier.
After this patch, the following two commands are equivalent:
nft flush chain filter input
nft delete rule filter input
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/netlink.c b/src/netlink.c
index 15cba79..533634a 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -645,7 +645,7 @@ int netlink_list_chain(struct netlink_ctx *ctx, const struct handle *h,
int netlink_flush_chain(struct netlink_ctx *ctx, const struct handle *h,
const struct location *loc)
{
- return netlink_flush_rules(ctx, h, loc);
+ return netlink_del_rule_batch(ctx, h, loc);
}
int netlink_add_table(struct netlink_ctx *ctx, const struct handle *h,
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
