On 26 August 2014 12:53, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Tue, Aug 26, 2014 at 11:57:01AM +0200, Arturo Borrero Gonzalez wrote: >> This patch extend the NFT_MSG_DELTABLE call to support flushing the entire >> ruleset. >> >> The options now are: >> * No family speficied, no table specified: flush all the ruleset. >> * Family specified, no table specified: flush all tables in the AF. >> * Family specified, table specified: flush the given table. >> [...] >> @@ -709,21 +775,31 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb, >> int family = nfmsg->nfgen_family; >> struct nft_ctx ctx; >> >> + if (family == NFPROTO_UNSPEC) { >> + if (nla[NFTA_TABLE_NAME] != NULL) >> + return -EINVAL; > > We should implement this too. I think you can replace > nft_flush_ruleset and nft_flush_family by something more generic like: > > static int nf_tables_flush(struct net *net, ...) > { > ... > > list_for_each_entry(afi, &net->nft.af_info, list) { > if (family != AF_UNSPEC && afi->family != family) > continue; > > list_for_each_entry_safe(table, next, afi->tables, list) { > if (nla[NFTA_TABLE_NAME] && > nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0) > continue; > > err = nft_flush_table(table); > ... > } > } > return err; > } > Ok. I agree. > You can also skip the nft_ctx_init with this since it's quite empty > and I guess my proposed nf_tables_flush should take around three > parameters. > All functions take that nft_ctx and fill the needed data for the inner and later functions (trans allocation, trans commit/abort, event notifications..). I didn't find a cleaner way to do it, and the nft_ctx_init() doesn't hurt. So, I think we still need to use the nft_ctx even with that small data, don't you? -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html