conntrack: use libmnl for ct entries deletion

Use libmnl and libnetfilter_conntrack mnl helpers to delete
the conntrack table entries.

Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 28 insertions, 19 deletions

diff --git a/src/conntrack.c b/src/conntrack.c
index d073453..f6752f8 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -608,7 +608,7 @@ static const char usage_parameters[] =
 
 #define OPTION_OFFSET 256
 
-static struct nfct_handle *cth, *ith;
+static struct nfct_handle *cth;
 static struct option *opts = original_opts;
 static unsigned int global_option_offset = 0;
 
@@ -2036,20 +2036,32 @@ done:
 	return NFCT_CB_CONTINUE;
 }
 
-static int delete_cb(enum nf_conntrack_msg_type type,
-		     struct nf_conntrack *ct,
-		     void *data)
+static int nfct_mnl_request(struct nfct_mnl_socket *sock, uint16_t subsys,
+			    int family, uint16_t type, uint16_t flags,
+			    mnl_cb_t cb, const struct nf_conntrack *ct);
+
+static int mnl_nfct_delete_cb(const struct nlmsghdr *nlh, void *data)
 {
+	struct nfct_mnl_socket *modifier_sock = &_modifier_sock;
 	unsigned int op_type = NFCT_O_DEFAULT;
 	unsigned int op_flags = 0;
 	struct ct_cmd *cmd = data;
+	struct nf_conntrack *ct;
 	char buf[1024];
 	int res;
 
+	ct = nfct_new();
+	if (ct == NULL)
+		return MNL_CB_OK;
+
+	nfct_nlmsg_parse(nlh, ct);
+
 	if (nfct_filter(cmd, ct, cur_tmpl))
-		return NFCT_CB_CONTINUE;
+		goto destroy_ok;
 
-	res = nfct_query(ith, NFCT_Q_DESTROY, ct);
+	res = nfct_mnl_request(modifier_sock, NFNL_SUBSYS_CTNETLINK,
+			       nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO),
+			       IPCTNL_MSG_CT_DELETE, NLM_F_ACK, NULL, ct);
 	if (res < 0)
 		exit_error(OTHER_PROBLEM,
 			   "Operation failed: %s",
@@ -2073,7 +2085,9 @@ done:
 
 	counter++;
 
-	return NFCT_CB_CONTINUE;
+destroy_ok:
+	nfct_destroy(ct);
+	return MNL_CB_OK;
 }
 
 static int mnl_nfct_print_cb(const struct nlmsghdr *nlh, void *data)
@@ -2200,10 +2214,6 @@ static void copy_label(const struct ct_cmd *cmd, struct nf_conntrack *tmp,
 	}
 }
 
-static int nfct_mnl_request(struct nfct_mnl_socket *sock, uint16_t subsys,
-			    int family, uint16_t type, uint16_t flags,
-			    mnl_cb_t cb, const struct nf_conntrack *ct);
-
 static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
 {
 	struct ct_cmd *cmd = data;
@@ -3397,15 +3407,12 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 		break;
 
 	case CT_DELETE:
-		cth = nfct_open(CONNTRACK, 0);
-		ith = nfct_open(CONNTRACK, 0);
-		if (!cth || !ith)
+		if (nfct_mnl_socket_open(sock, 0) < 0 ||
+		    nfct_mnl_socket_open(modifier_sock, 0) < 0)
 			exit_error(OTHER_PROBLEM, "Can't open handler");
 
 		nfct_filter_init(cmd);
 
-		nfct_callback_register(cth, NFCT_T_ALL, delete_cb, cmd);
-
 		filter_dump = nfct_filter_dump_create();
 		if (filter_dump == NULL)
 			exit_error(OTHER_PROBLEM, "OOM");
@@ -3419,12 +3426,14 @@ static int do_command_ct(const char *progname, struct ct_cmd *cmd)
 					     NFCT_FILTER_DUMP_L3NUM,
 					     cmd->family);
 
-		res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+		res = nfct_mnl_dump(sock, NFNL_SUBSYS_CTNETLINK,
+				    IPCTNL_MSG_CT_GET, mnl_nfct_delete_cb,
+				    cmd, filter_dump);
 
 		nfct_filter_dump_destroy(filter_dump);
 
-		nfct_close(ith);
-		nfct_close(cth);
+		nfct_mnl_socket_close(modifier_sock);
+		nfct_mnl_socket_close(sock);
 		break;
 
 	case EXP_DELETE: