diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-12-05 17:35:50 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-12-07 07:31:40 -0500 |
| commit | 8411b6442e59810fe0750a2f321b9dcb7d0a3d17 (patch) | |
| tree | 46ec4f0de82337a234b88ff58aedccd3b6486525 /include/net | |
| parent | 37df5301a3ae903c5b1aa90cae37c6c669dfc386 (diff) | |
netfilter: nf_tables: support for set flushing
This patch adds support for set flushing, that consists of walking over
the set elements if the NFTA_SET_ELEM_LIST_ELEMENTS attribute is set.
This patch requires the following changes:
1) Add set->ops->deactivate_one() operation: This allows us to
deactivate an element from the set element walk path, given we can
skip the lookup that happens in ->deactivate().
2) Add a new nft_trans_alloc_gfp() function since we need to allocate
transactions using GFP_ATOMIC given the set walk path happens with
held rcu_read_lock.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_tables.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 85f0f03f1e87..924325c46aab 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h | |||
| @@ -259,7 +259,8 @@ struct nft_expr; | |||
| 259 | * @lookup: look up an element within the set | 259 | * @lookup: look up an element within the set |
| 260 | * @insert: insert new element into set | 260 | * @insert: insert new element into set |
| 261 | * @activate: activate new element in the next generation | 261 | * @activate: activate new element in the next generation |
| 262 | * @deactivate: deactivate element in the next generation | 262 | * @deactivate: lookup for element and deactivate it in the next generation |
| 263 | * @deactivate_one: deactivate element in the next generation | ||
| 263 | * @remove: remove element from set | 264 | * @remove: remove element from set |
| 264 | * @walk: iterate over all set elemeennts | 265 | * @walk: iterate over all set elemeennts |
| 265 | * @privsize: function to return size of set private data | 266 | * @privsize: function to return size of set private data |
| @@ -294,6 +295,9 @@ struct nft_set_ops { | |||
| 294 | void * (*deactivate)(const struct net *net, | 295 | void * (*deactivate)(const struct net *net, |
| 295 | const struct nft_set *set, | 296 | const struct nft_set *set, |
| 296 | const struct nft_set_elem *elem); | 297 | const struct nft_set_elem *elem); |
| 298 | bool (*deactivate_one)(const struct net *net, | ||
| 299 | const struct nft_set *set, | ||
| 300 | void *priv); | ||
| 297 | void (*remove)(const struct nft_set *set, | 301 | void (*remove)(const struct nft_set *set, |
| 298 | const struct nft_set_elem *elem); | 302 | const struct nft_set_elem *elem); |
| 299 | void (*walk)(const struct nft_ctx *ctx, | 303 | void (*walk)(const struct nft_ctx *ctx, |