[iptables PATCH 04/27] xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs

Phil Sutter <phil@xxxxxx> · Thu, 2 Aug 2018 17:05:11 +0200

Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
not added to the cache.

There is one exception though, namely when zeroing counters:
nft_chain_zero_counters() adds a chain object it took from chain cache.
To distinguish this situation from the others, introduce
NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 26df1287c5188..327c19ad2c6c9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -246,6 +246,7 @@ enum obj_update_type {
 	NFT_COMPAT_CHAIN_USER_FLUSH,
 	NFT_COMPAT_CHAIN_UPDATE,
 	NFT_COMPAT_CHAIN_RENAME,
+	NFT_COMPAT_CHAIN_ZERO,
 	NFT_COMPAT_RULE_APPEND,
 	NFT_COMPAT_RULE_INSERT,
 	NFT_COMPAT_RULE_REPLACE,
@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
 			 nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
 		break;
 	case NFT_COMPAT_CHAIN_ADD:
+	case NFT_COMPAT_CHAIN_ZERO:
 	case NFT_COMPAT_CHAIN_USER_ADD:
 	case NFT_COMPAT_CHAIN_USER_DEL:
 	case NFT_COMPAT_CHAIN_USER_FLUSH:
@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
 	case NFT_COMPAT_TABLE_FLUSH:
 		nftnl_table_free(o->table);
 		break;
-	case NFT_COMPAT_CHAIN_ADD:
+	case NFT_COMPAT_CHAIN_ZERO:
 	case NFT_COMPAT_CHAIN_USER_ADD:
 		break;
+	case NFT_COMPAT_CHAIN_ADD:
 	case NFT_COMPAT_CHAIN_USER_DEL:
 	case NFT_COMPAT_CHAIN_USER_FLUSH:
 	case NFT_COMPAT_CHAIN_UPDATE:
@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
 						   n->seq, n->table);
 			break;
 		case NFT_COMPAT_CHAIN_ADD:
+		case NFT_COMPAT_CHAIN_ZERO:
 			nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
 						   NLM_F_CREATE, n->seq,
 						   n->chain);
@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
 
 		nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
 
-		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
+		ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
 
 		if (chain != NULL)
 			break;
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






