diff options
author | Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> | 2012-10-30 23:31:08 +0000 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:19 +0100 |
commit | 0a366d8696582e979d55f6832a797d1217f4b908 (patch) | |
tree | 8701eecaa65af4c63cc89b2b251af45ed9ef0e7a | |
parent | 16db62f9187ec1d62310efea8f0f7f378aee1e89 (diff) |
iptables: nft: Add support for -R option
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
-rw-r--r-- | iptables/nft.c | 28 | ||||
-rw-r--r-- | iptables/nft.h | 2 | ||||
-rw-r--r-- | iptables/xtables.c | 3 |
3 files changed, 21 insertions, 12 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index ab9e4e40..3b5a5c1e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -639,7 +639,8 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes) int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, - struct iptables_command_state *cs, bool append, bool verbose) + struct iptables_command_state *cs, + bool append, uint16_t handle, bool verbose) { char buf[MNL_SOCKET_BUFFER_SIZE]; struct nlmsghdr *nlh; @@ -764,8 +765,16 @@ nft_rule_add(struct nft_handle *h, const char *chain, const char *table, } /* NLM_F_CREATE autoloads the built-in table if it does not exists */ - nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET, - NLM_F_ACK|NLM_F_CREATE|flags, h->seq); + flags |= NLM_F_ACK|NLM_F_CREATE; + + if (handle > 0) { + nft_rule_attr_set(r, NFT_RULE_ATTR_HANDLE, &handle); + flags |= NLM_F_REPLACE; + } + + nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, + AF_INET, flags, h->seq); + nft_rule_nlmsg_build_payload(nlh, r); nft_rule_print_debug(r, nlh); @@ -2327,17 +2336,16 @@ int nft_rule_replace(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cs, int rulenum, bool verbose) { - int ret; + int handle; nft_fn = nft_rule_replace; - ret = __nft_rule_check(h, chain, table, - NULL, false, true, rulenum, verbose); - if (ret < 0) - return ret; + handle = __nft_rule_check(h, chain, table, + NULL, false, true, rulenum, verbose); + if (handle < 0) + return handle; - /* XXX needs to be inserted in position, this is appending */ - return nft_rule_add(h, chain, table, cs, true, verbose); + return nft_rule_add(h, chain, table, cs, true, handle, verbose); } /* diff --git a/iptables/nft.h b/iptables/nft.h index f5a9efb8..474e652e 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -39,7 +39,7 @@ int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *t */ struct nft_rule; -int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, bool verbose); +int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint16_t handle, bool verbose); int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose); int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose); diff --git a/iptables/xtables.c b/iptables/xtables.c index a6875757..d1a91723 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -448,7 +448,8 @@ add_entry(const char *chain, cs->fw.ip.dst.s_addr = daddrs[j].s_addr; cs->fw.ip.dmsk.s_addr = dmasks[j].s_addr; - ret = nft_rule_add(h, chain, table, cs, append, verbose); + ret = nft_rule_add(h, chain, table, + cs, append, 0, verbose); } } |