diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-01-20 22:32:43 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:23 +0100 |
| commit | 0aad20f3979e3b6becd40e4ed5bba8d09d90706e (patch) | |
| tree | b8d2425d471a0e34cd9dd85ce8e6295dfe80cd33 /iptables/nft.c | |
| parent | 8ebee8c46101914b269afe94e772321e5ee09c3f (diff) | |
xtables: purge out user-define chains from the kernel
xtables-restore has to purge out user-defined chains that are
not defined in the configuration file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 63 |
1 files changed, 54 insertions, 9 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 43b13deb..fd19ff55 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1801,19 +1801,13 @@ err: return ret == 0 ? 1 : 0; } -static struct nft_chain * -nft_chain_find(struct nft_handle *h, const char *table, const char *chain) +struct nft_chain * +nft_chain_list_find(struct nft_handle *h, struct nft_chain_list *list, + const char *table, const char *chain) { - struct nft_chain_list *list; struct nft_chain_list_iter *iter; struct nft_chain *c; - list = nft_chain_list_get(h); - if (list == NULL) { - DEBUGP("cannot allocate chain list\n"); - return NULL; - } - iter = nft_chain_list_iter_create(list); if (iter == NULL) { DEBUGP("cannot allocate rule list iterator\n"); @@ -1833,13 +1827,29 @@ nft_chain_find(struct nft_handle *h, const char *table, const char *chain) if (strcmp(chain, chain_name) != 0) goto next; + nft_chain_list_iter_destroy(iter); return c; next: c = nft_chain_list_iter_next(iter); } + nft_chain_list_iter_destroy(iter); return NULL; } +static struct nft_chain * +nft_chain_find(struct nft_handle *h, const char *table, const char *chain) +{ + struct nft_chain_list *list; + + list = nft_chain_list_get(h); + if (list == NULL) { + DEBUGP("cannot allocate chain list\n"); + return NULL; + } + + return nft_chain_list_find(h, list, table, chain); +} + int nft_chain_user_rename(struct nft_handle *h,const char *chain, const char *table, const char *newname) { @@ -2006,6 +2016,41 @@ err: return ret == 0 ? 1 : 0; } +int nft_table_purge_chains(struct nft_handle *h, const char *this_table, + struct nft_chain_list *chain_list) +{ + struct nft_chain_list_iter *iter; + struct nft_chain *chain_obj; + + iter = nft_chain_list_iter_create(chain_list); + if (iter == NULL) { + DEBUGP("cannot allocate rule list iterator\n"); + return 0; + } + + chain_obj = nft_chain_list_iter_next(iter); + while (chain_obj != NULL) { + const char *table = + nft_chain_attr_get_str(chain_obj, NFT_CHAIN_ATTR_TABLE); + + if (strcmp(this_table, table) != 0) + goto next; + + if (nft_chain_builtin(chain_obj)) + goto next; + + if ( __nft_chain_del(h, chain_obj) < 0) { + if (errno != EBUSY) + return -1; + } +next: + chain_obj = nft_chain_list_iter_next(iter); + } + nft_chain_list_iter_destroy(iter); + + return 0; +} + static inline int match_different(const struct xt_entry_match *a, const unsigned char *a_elems, |