[PATCH nft] cache: revisit reset command flags

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

- reset rules => fetch full cache, rules can refer to objects
- reset counter,quota => fetch only table and objects

... otherwise, default to cache full fetch, which is slow but safe.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1763
Fixes: 1694df2de79f ("Implement 'reset rule' and 'reset rules' commands")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
I plan to send v2 to extend tests.

A few more comments:

- nft reset ruleset seems to be missing?
- nft reset rules lists the entire ruleset, i guess this expected
  nft reset counters comes with memleak, ASAN reports

 src/cache.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/cache.c b/src/cache.c
index 233147649263..d91e4b682e1f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -278,16 +278,21 @@ static unsigned int evaluate_cache_reset(struct cmd *cmd, unsigned int flags,
 			if (cmd->handle.chain.name)
 				filter->list.chain = cmd->handle.chain.name;
 		}
-		flags |= NFT_CACHE_SET | NFT_CACHE_FLOWTABLE |
-			 NFT_CACHE_OBJECT | NFT_CACHE_CHAIN;
+		flags |= NFT_CACHE_FULL;
+		break;
+	case CMD_OBJ_COUNTER:
+	case CMD_OBJ_COUNTERS:
+	case CMD_OBJ_QUOTA:
+	case CMD_OBJ_QUOTAS:
+		flags |= NFT_CACHE_TABLE | NFT_CACHE_OBJECT;
 		break;
 	case CMD_OBJ_ELEMENTS:
 	case CMD_OBJ_SET:
 	case CMD_OBJ_MAP:
-		flags |= NFT_CACHE_SET;
+		flags |= NFT_CACHE_SETELEM | NFT_CACHE_CHAIN | NFT_CACHE_OBJECT;
 		break;
 	default:
-		flags |= NFT_CACHE_TABLE;
+		flags |= NFT_CACHE_FULL;
 		break;
 	}
 	flags |= NFT_CACHE_REFRESH;
-- 
2.30.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux