On Tue, Sep 02, 2014 at 04:42:26PM +0200, Arturo Borrero Gonzalez wrote: > This patch extend the NFT_MSG_DELTABLE call to support flushing the entire > ruleset. > > The options now are: > * No family speficied, no table specified: flush all the ruleset. > * Family specified, no table specified: flush all tables in the AF. > * Family specified, table specified: flush the given table. > > Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> > --- > v2: address comments by Pablo: > * don't return EINVAL if called with AF_UNSPEC and a concrete table. > * A more generic function, nft_flush() > > v3: no changes, resending the series. > v4: no changes, resending the series because v3 series was invalid. > v5: address comment by Pablo: delete set if the list of bindings is empty. > +static int nft_flush_table(struct nft_ctx *ctx) > +{ > + int err; > + struct nft_chain *chain, *nc; > + struct nft_set *set, *ns; > + > + list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) { > + ctx->chain = chain; > + > + err = nft_delrule_by_chain(ctx); > + if (err < 0) > + goto out; > + > + err = nft_delchain(ctx); > + if (err < 0) > + goto out; > + } > + > + list_for_each_entry_safe(set, ns, &ctx->table->sets, list) { > + if (set->flags & NFT_SET_ANONYMOUS && > + !list_empty(&set->bindings)) > + continue; So we're removing anonymous sets iff the bindings are empty. I feel I'm missing something: - how could we possibly still have bindings after the table has been flushed? - if that were possible, why wouldn't it also apply to non-anonymous sets? If I'm not mistaken we should be able to unconditionally delete all sets once the ruleset has been flushed. > + err = nft_delset(ctx, set); > + if (err < 0) > + goto out; > + } -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html