On 26 August 2014 12:53, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Tue, Aug 26, 2014 at 11:57:01AM +0200, Arturo Borrero Gonzalez wrote:
>> This patch extend the NFT_MSG_DELTABLE call to support flushing the entire
>> ruleset.
>>
>> The options now are:
>> * No family speficied, no table specified: flush all the ruleset.
>> * Family specified, no table specified: flush all tables in the AF.
>> * Family specified, table specified: flush the given table.
>>
[...]
>> @@ -709,21 +775,31 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
>> int family = nfmsg->nfgen_family;
>> struct nft_ctx ctx;
>>
>> + if (family == NFPROTO_UNSPEC) {
>> + if (nla[NFTA_TABLE_NAME] != NULL)
>> + return -EINVAL;
>
> We should implement this too. I think you can replace
> nft_flush_ruleset and nft_flush_family by something more generic like:
>
> static int nf_tables_flush(struct net *net, ...)
> {
> ...
>
> list_for_each_entry(afi, &net->nft.af_info, list) {
> if (family != AF_UNSPEC && afi->family != family)
> continue;
>
> list_for_each_entry_safe(table, next, afi->tables, list) {
> if (nla[NFTA_TABLE_NAME] &&
> nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
> continue;
>
> err = nft_flush_table(table);
> ...
> }
> }
> return err;
> }
>
Ok. I agree.
> You can also skip the nft_ctx_init with this since it's quite empty
> and I guess my proposed nf_tables_flush should take around three
> parameters.
>
All functions take that nft_ctx and fill the needed data for the inner
and later functions (trans allocation, trans commit/abort, event
notifications..). I didn't find a cleaner way to do it, and the
nft_ctx_init() doesn't hurt.
So, I think we still need to use the nft_ctx even with that small
data, don't you?
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
