diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-26 00:41:42 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-08-26 18:38:13 +0200 |
| commit | dbff26bfba8336c485a270509440e94bc1240d08 (patch) | |
| tree | e89ba81c1c724ec78f98ac4a4830da8fd1606185 /include | |
| parent | ebd06f85a3257c294572005d0fa6b8ab0f213486 (diff) | |
cache: consolidate reset command
Reset command does not utilize the cache infrastructure.
This implicitly fixes a crash with anonymous sets because elements are
not fetched. I initially tried to fix it by toggling the missing cache
flags, but then ASAN reports memleaks.
To address these issues relies on Phil's list filtering infrastructure
which updates is expanded to accomodate filtering requirements of the
reset commands, such as 'reset table ip' where only the family is sent
to the kernel.
After this update, tests/shell reports a few inconsistencies between
reset and list commands:
- reset rules chain t c2
display sets, but it should only list the given chain.
- reset rules table t
reset rules ip
do not list elements in the set. In both cases, these are fully
listing a given table and family, elements should be included.
The consolidation also ensures list and reset will not differ.
A few more notes:
- CMD_OBJ_TABLE is used for:
rules family table
from the parser, due to the lack of a better enum, same applies to
CMD_OBJ_CHAIN.
- CMD_OBJ_ELEMENTS still does not use the cache, but same occurs in
the CMD_GET command case which needs to be consolidated.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1763
Fixes: 83e0f4402fb7 ("Implement 'reset {set,map,element}' commands")
Fixes: 1694df2de79f ("Implement 'reset rule' and 'reset rules' commands")
Tested-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/cache.h | 10 | ||||
| -rw-r--r-- | include/netlink.h | 5 |
2 files changed, 6 insertions, 9 deletions
diff --git a/include/cache.h b/include/cache.h index c72bedf5..e6bde6c6 100644 --- a/include/cache.h +++ b/include/cache.h @@ -64,6 +64,12 @@ struct nft_cache_filter { struct { struct list_head head; } obj[NFT_CACHE_HSIZE]; + + struct { + bool obj; + bool rule; + bool elem; + } reset; }; struct nft_cache; @@ -149,8 +155,4 @@ struct netlink_ctx; void nft_chain_cache_update(struct netlink_ctx *ctx, struct table *table, const char *chain); -int rule_cache_dump(struct netlink_ctx *ctx, const struct handle *h, - const struct nft_cache_filter *filter, - bool dump, bool reset); - #endif /* _NFT_CACHE_H_ */ diff --git a/include/netlink.h b/include/netlink.h index 27a62462..cf7ba369 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -176,8 +176,6 @@ extern int netlink_delinearize_setelem(struct nftnl_set_elem *nlse, struct nft_cache *cache); extern int netlink_list_objs(struct netlink_ctx *ctx, const struct handle *h); -extern int netlink_reset_objs(struct netlink_ctx *ctx, const struct cmd *cmd, - uint32_t type, bool dump); extern struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, struct nftnl_obj *nlo); @@ -186,9 +184,6 @@ extern int netlink_list_flowtables(struct netlink_ctx *ctx, extern struct flowtable *netlink_delinearize_flowtable(struct netlink_ctx *ctx, struct nftnl_flowtable *nlo); -extern int netlink_reset_rules(struct netlink_ctx *ctx, const struct cmd *cmd, - bool dump); - extern void netlink_dump_chain(const struct nftnl_chain *nlc, struct netlink_ctx *ctx); extern void netlink_dump_rule(const struct nftnl_rule *nlr, |