netfilter: nf_tables: extend NFT_MSG_DELTABLE to support flushing the ruleset

This patch extend the NFT_MSG_DELTABLE call to support flushing the entire ruleset. The options now are: * No family speficied, no table specified: flush all the ruleset. * Family specified, no table specified: flush all tables in the AF. * Family specified, table specified: flush the given table. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero <arturo.borrero.glez@gmail.com> 2014-09-02 10:42:26 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2014-09-09 10:31:26 -0400
commit: b9ac12ef099707f405d7478009564302d7ed8393 (patch)
tree: 21fb83c32a8606b8a1382b860bc87abdf8a9a3a4
parent: ee01d5425634264089db74889c3547be13c3faef (diff)
1 files changed, 68 insertions, 4 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3ce5cfa34935..82374601577e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -707,6 +707,67 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
        return 0;
 }
+static int nft_flush_table(struct nft_ctx *ctx)
+{
+        int err;
+        struct nft_chain *chain, *nc;
+        struct nft_set *set, *ns;
+        list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
+                ctx->chain = chain;
+                err = nft_delrule_by_chain(ctx);
+                if (err < 0)
+                        goto out;
+                err = nft_delchain(ctx);
+                if (err < 0)
+                        goto out;
+        }
+        list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
+                if (set->flags & NFT_SET_ANONYMOUS &&
+                    !list_empty(&set->bindings))
+                        continue;
+                err = nft_delset(ctx, set);
+                if (err < 0)
+                        goto out;
+        }
+        err = nft_deltable(ctx);
+out:
+        return err;
+}
+static int nft_flush(struct nft_ctx *ctx, int family)
+{
+        struct nft_af_info *afi;
+        struct nft_table *table, *nt;
+        const struct nlattr * const *nla = ctx->nla;
+        int err = 0;
+        list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
+                if (family != AF_UNSPEC && afi->family != family)
+                        continue;
+                ctx->afi = afi;
+                list_for_each_entry_safe(table, nt, &afi->tables, list) {
+                        if (nla[NFTA_TABLE_NAME] &&
+                            nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
+                                continue;
+                        ctx->table = table;
+                        err = nft_flush_table(ctx);
+                        if (err < 0)
+                                goto out;
+                }
+        }
+out:
+        return err;
+}
 static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
                              const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
@@ -718,6 +779,10 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
        int family = nfmsg->nfgen_family;
        struct nft_ctx ctx;
+        nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
+        if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
+                return nft_flush(&ctx, family);
        afi = nf_tables_afinfo_lookup(net, family, false);
        if (IS_ERR(afi))
                return PTR_ERR(afi);
@@ -727,12 +792,11 @@ static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
                return PTR_ERR(table);
        if (table->flags & NFT_TABLE_INACTIVE)
                return -ENOENT;
-        if (table->use > 0)
-                return -EBUSY;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+        ctx.afi = afi;
+        ctx.table = table;
-        return nft_deltable(&ctx);
+        return nft_flush_table(&ctx);
 }
 static void nf_tables_table_destroy(struct nft_ctx *ctx)
author	Arturo Borrero <arturo.borrero.glez@gmail.com>	2014-09-02 10:42:26 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2014-09-09 10:31:26 -0400
commit	b9ac12ef099707f405d7478009564302d7ed8393 (patch)
tree	21fb83c32a8606b8a1382b860bc87abdf8a9a3a4
parent	ee01d5425634264089db74889c3547be13c3faef (diff)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3ce5cfa34935..82374601577e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -707,6 +707,67 @@ static int nf_tables_newtable(struct sock nlsk, struct sk_buff skb,
707	return 0;	707	return 0;
708	}	708	}
709		709
		710	static int nft_flush_table(struct nft_ctx *ctx)
		711	{
		712	int err;
		713	struct nft_chain chain, nc;
		714	struct nft_set set, ns;
		715
		716	list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
		717	ctx->chain = chain;
		718
		719	err = nft_delrule_by_chain(ctx);
		720	if (err < 0)
		721	goto out;
		722
		723	err = nft_delchain(ctx);
		724	if (err < 0)
		725	goto out;
		726	}
		727
		728	list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
		729	if (set->flags & NFT_SET_ANONYMOUS &&
		730	!list_empty(&set->bindings))
		731	continue;
		732
		733	err = nft_delset(ctx, set);
		734	if (err < 0)
		735	goto out;
		736	}
		737
		738	err = nft_deltable(ctx);
		739	out:
		740	return err;
		741	}
		742
		743	static int nft_flush(struct nft_ctx *ctx, int family)
		744	{
		745	struct nft_af_info *afi;
		746	struct nft_table table, nt;
		747	const struct nlattr * const *nla = ctx->nla;
		748	int err = 0;
		749
		750	list_for_each_entry(afi, &ctx->net->nft.af_info, list) {
		751	if (family != AF_UNSPEC && afi->family != family)
		752	continue;
		753
		754	ctx->afi = afi;
		755	list_for_each_entry_safe(table, nt, &afi->tables, list) {
		756	if (nla[NFTA_TABLE_NAME] &&
		757	nla_strcmp(nla[NFTA_TABLE_NAME], table->name) != 0)
		758	continue;
		759
		760	ctx->table = table;
		761
		762	err = nft_flush_table(ctx);
		763	if (err < 0)
		764	goto out;
		765	}
		766	}
		767	out:
		768	return err;
		769	}
		770
710	static int nf_tables_deltable(struct sock nlsk, struct sk_buff skb,	771	static int nf_tables_deltable(struct sock nlsk, struct sk_buff skb,
711	const struct nlmsghdr *nlh,	772	const struct nlmsghdr *nlh,
712	const struct nlattr * const nla[])	773	const struct nlattr * const nla[])
@@ -718,6 +779,10 @@ static int nf_tables_deltable(struct sock nlsk, struct sk_buff skb,
718	int family = nfmsg->nfgen_family;	779	int family = nfmsg->nfgen_family;
719	struct nft_ctx ctx;	780	struct nft_ctx ctx;
720		781
		782	nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
		783	if (family == AF_UNSPEC \|\| nla[NFTA_TABLE_NAME] == NULL)
		784	return nft_flush(&ctx, family);
		785
721	afi = nf_tables_afinfo_lookup(net, family, false);	786	afi = nf_tables_afinfo_lookup(net, family, false);
722	if (IS_ERR(afi))	787	if (IS_ERR(afi))
723	return PTR_ERR(afi);	788	return PTR_ERR(afi);
@@ -727,12 +792,11 @@ static int nf_tables_deltable(struct sock nlsk, struct sk_buff skb,
727	return PTR_ERR(table);	792	return PTR_ERR(table);
728	if (table->flags & NFT_TABLE_INACTIVE)	793	if (table->flags & NFT_TABLE_INACTIVE)
729	return -ENOENT;	794	return -ENOENT;
730	if (table->use > 0)
731	return -EBUSY;
732		795
733	nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);	796	ctx.afi = afi;
		797	ctx.table = table;
734		798
735	return nft_deltable(&ctx);	799	return nft_flush_table(&ctx);
736	}	800	}
737		801
738	static void nf_tables_table_destroy(struct nft_ctx *ctx)	802	static void nf_tables_table_destroy(struct nft_ctx *ctx)