xtables-restore: support atomic commit

Use new services in nf_tables to support atomic commit.

Commit per table, although we support global commit at once,
call commit for each table to emulate iptables-restore
behaviour by now.

Keep table dormant/wake up code in iptables/nft.c as it can
be used in the future.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 17 insertions, 5 deletions

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 9778a9f7..ca9e0c05 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -164,6 +164,7 @@ xtables_restore_main(int argc, char *argv[])
 {
 	struct nft_handle h = {
 		.family = AF_INET,	/* default to IPv4 */
+		.commit	= true,
 	};
 	char buffer[10240];
 	int c;
@@ -253,10 +254,14 @@ xtables_restore_main(int argc, char *argv[])
 			continue;
 		} else if ((strcmp(buffer, "COMMIT\n") == 0) && (in_table)) {
 			if (!testing) {
-				if (nft_table_wake_dormant(&h, curtable) < 0) {
-					fprintf(stderr, "Failed to wake up "
-						"dormant table `%s'\n",
-						curtable);
+				/* Commit per table, although we support
+				 * global commit at once, stick by now to
+				 * the existing behaviour.
+				 */
+				if (nft_commit(&h)) {
+					fprintf(stderr, "Failed to commit "
+							"table %s\n",
+							curtable);
 				}
 				DEBUGP("Calling commit\n");
 				ret = 1;
@@ -288,7 +293,6 @@ xtables_restore_main(int argc, char *argv[])
 			if (tablename && (strcmp(tablename, table) != 0))
 				continue;
 
-			nft_table_set_dormant(&h, table);
 			if (noflush == 0) {
 				DEBUGP("Cleaning all chains of table '%s'\n",
 					table);
@@ -426,6 +430,14 @@ xtables_restore_main(int argc, char *argv[])
 				DEBUGP("argv[%u]: %s\n", a, newargv[a]);
 
 			ret = do_commandx(&h, newargc, newargv, &newargv[2]);
+			if (ret < 0) {
+				ret = nft_abort(&h);
+				if (ret < 0) {
+					fprintf(stderr, "failed to abort "
+							"commit operation\n");
+				}
+				exit(1);
+			}
 
 			free_argv();
 			fflush(stdout);