On Tue, Sep 02, 2014 at 04:42:26PM +0200, Arturo Borrero Gonzalez wrote:
> This patch extend the NFT_MSG_DELTABLE call to support flushing the entire
> ruleset.
>
> The options now are:
> * No family speficied, no table specified: flush all the ruleset.
> * Family specified, no table specified: flush all tables in the AF.
> * Family specified, table specified: flush the given table.
>
> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
> ---
> v2: address comments by Pablo:
> * don't return EINVAL if called with AF_UNSPEC and a concrete table.
> * A more generic function, nft_flush()
>
> v3: no changes, resending the series.
> v4: no changes, resending the series because v3 series was invalid.
> v5: address comment by Pablo: delete set if the list of bindings is empty.
> +static int nft_flush_table(struct nft_ctx *ctx)
> +{
> + int err;
> + struct nft_chain *chain, *nc;
> + struct nft_set *set, *ns;
> +
> + list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
> + ctx->chain = chain;
> +
> + err = nft_delrule_by_chain(ctx);
> + if (err < 0)
> + goto out;
> +
> + err = nft_delchain(ctx);
> + if (err < 0)
> + goto out;
> + }
> +
> + list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
> + if (set->flags & NFT_SET_ANONYMOUS &&
> + !list_empty(&set->bindings))
> + continue;
So we're removing anonymous sets iff the bindings are empty. I feel I'm
missing something:
- how could we possibly still have bindings after the table has been flushed?
- if that were possible, why wouldn't it also apply to non-anonymous sets?
If I'm not mistaken we should be able to unconditionally delete all sets
once the ruleset has been flushed.
> + err = nft_delset(ctx, set);
> + if (err < 0)
> + goto out;
> + }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
