diff options
author | Phil Sutter <phil@nwl.cc> | 2022-10-14 23:19:22 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-01-18 14:58:48 +0100 |
commit | 1694df2de79f39c5037f82601e02226022b2e38f (patch) | |
tree | 57c6b99a1c7de8a414b5693e86cd6cf36816fd42 /include | |
parent | ce04d25b4a116ef04f27d0b71994f61a24114d6d (diff) |
Implement 'reset rule' and 'reset rules' commands
Reset rule counters and quotas in kernel, i.e. without having to reload
them. Requires respective kernel patch to support NFT_MSG_GETRULE_RESET
message type.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'include')
-rw-r--r-- | include/cache.h | 7 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 1 | ||||
-rw-r--r-- | include/mnl.h | 4 | ||||
-rw-r--r-- | include/netlink.h | 3 | ||||
-rw-r--r-- | include/rule.h | 1 |
5 files changed, 15 insertions, 1 deletions
diff --git a/include/cache.h b/include/cache.h index 575381ef..5bf78fe0 100644 --- a/include/cache.h +++ b/include/cache.h @@ -3,6 +3,8 @@ #include <string.h> +struct handle; + enum cache_level_bits { NFT_CACHE_TABLE_BIT = (1 << 0), NFT_CACHE_CHAIN_BIT = (1 << 1), @@ -55,6 +57,7 @@ struct nft_cache_filter { const char *chain; const char *set; const char *ft; + uint64_t rule_handle; } list; struct { @@ -138,4 +141,8 @@ struct nft_cache { void nft_chain_cache_update(struct netlink_ctx *ctx, struct table *table, const char *chain); +int rule_cache_dump(struct netlink_ctx *ctx, const struct handle *h, + const struct nft_cache_filter *filter, + bool dump, bool reset); + #endif /* _NFT_CACHE_H_ */ diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index e4b739d5..3d045030 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -124,6 +124,7 @@ enum nf_tables_msg_types { NFT_MSG_NEWFLOWTABLE, NFT_MSG_GETFLOWTABLE, NFT_MSG_DELFLOWTABLE, + NFT_MSG_GETRULE_RESET, NFT_MSG_MAX, }; diff --git a/include/mnl.h b/include/mnl.h index 8e0a7e3f..c0676691 100644 --- a/include/mnl.h +++ b/include/mnl.h @@ -34,7 +34,9 @@ int mnl_nft_rule_del(struct netlink_ctx *ctx, struct cmd *cmd); int mnl_nft_rule_replace(struct netlink_ctx *ctx, struct cmd *cmd); struct nftnl_rule_list *mnl_nft_rule_dump(struct netlink_ctx *ctx, int family, - const char *table, const char *chain); + const char *table, const char *chain, + uint64_t rule_handle, + bool dump, bool reset); int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd, unsigned int flags); diff --git a/include/netlink.h b/include/netlink.h index 5a7f6a1e..0d97f71c 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -183,6 +183,9 @@ extern int netlink_list_flowtables(struct netlink_ctx *ctx, extern struct flowtable *netlink_delinearize_flowtable(struct netlink_ctx *ctx, struct nftnl_flowtable *nlo); +extern int netlink_reset_rules(struct netlink_ctx *ctx, const struct cmd *cmd, + bool dump); + extern void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx); extern void netlink_dump_rule(const struct nftnl_rule *nlr, diff --git a/include/rule.h b/include/rule.h index d829f484..22c611f6 100644 --- a/include/rule.h +++ b/include/rule.h @@ -620,6 +620,7 @@ enum cmd_obj { CMD_OBJ_SETELEMS, CMD_OBJ_SETS, CMD_OBJ_RULE, + CMD_OBJ_RULES, CMD_OBJ_CHAIN, CMD_OBJ_CHAINS, CMD_OBJ_TABLE, |