diff options
Diffstat (limited to 'iptables/nft-cmd.c')
-rw-r--r-- | iptables/nft-cmd.c | 49 |
1 files changed, 37 insertions, 12 deletions
diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c index a0c76a79..b38da9bd 100644 --- a/iptables/nft-cmd.c +++ b/iptables/nft-cmd.c @@ -14,19 +14,21 @@ #include <xtables.h> #include "nft.h" #include "nft-cmd.h" +#include <libnftnl/set.h> struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, const char *table, const char *chain, struct iptables_command_state *state, int rulenum, bool verbose) { + struct nft_rule_ctx ctx = { + .command = command, + }; struct nftnl_rule *rule; struct nft_cmd *cmd; - cmd = calloc(1, sizeof(struct nft_cmd)); - if (!cmd) - return NULL; - + cmd = xtables_calloc(1, sizeof(struct nft_cmd)); + cmd->error.lineno = h->error.lineno; cmd->command = command; cmd->table = xtables_strdup(table); if (chain) @@ -35,7 +37,7 @@ struct nft_cmd *nft_cmd_new(struct nft_handle *h, int command, cmd->verbose = verbose; if (state) { - rule = nft_rule_new(h, chain, table, state); + rule = nft_rule_new(h, &ctx, chain, table, state); if (!rule) { nft_cmd_free(cmd); return NULL; @@ -63,6 +65,7 @@ void nft_cmd_free(struct nft_cmd *cmd) switch (cmd->command) { case NFT_COMPAT_RULE_CHECK: case NFT_COMPAT_RULE_DELETE: + case NFT_COMPAT_RULE_CHANGE_COUNTERS: if (cmd->obj.rule) nftnl_rule_free(cmd->obj.rule); break; @@ -94,7 +97,7 @@ static void nft_cmd_rule_bridge(struct nft_handle *h, const struct nft_cmd *cmd) int nft_cmd_rule_append(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *state, - void *ref, bool verbose) + bool verbose) { struct nft_cmd *cmd; @@ -170,7 +173,9 @@ int nft_cmd_rule_flush(struct nft_handle *h, const char *chain, if (!cmd) return 0; - if (chain || verbose) + if (h->family == NFPROTO_BRIDGE) + nft_cache_level_set(h, NFT_CL_RULES, cmd); + else if (chain || verbose) nft_cache_level_set(h, NFT_CL_CHAINS, cmd); else nft_cache_level_set(h, NFT_CL_TABLES, cmd); @@ -208,12 +213,12 @@ int nft_cmd_chain_user_add(struct nft_handle *h, const char *chain, return 1; } -int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose) +int nft_cmd_chain_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose) { struct nft_cmd *cmd; - cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_USER_DEL, table, chain, NULL, -1, + cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_DEL, table, chain, NULL, -1, verbose); if (!cmd) return 0; @@ -221,7 +226,7 @@ int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, /* This triggers nft_bridge_chain_postprocess() when fetching the * rule cache. */ - if (h->family == NFPROTO_BRIDGE) + if (h->family == NFPROTO_BRIDGE || !chain) nft_cache_level_set(h, NFT_CL_RULES, cmd); else nft_cache_level_set(h, NFT_CL_CHAINS, cmd); @@ -320,7 +325,7 @@ int nft_cmd_table_flush(struct nft_handle *h, const char *table, bool verbose) if (verbose) { return nft_cmd_rule_flush(h, NULL, table, verbose) && - nft_cmd_chain_user_del(h, NULL, table, verbose); + nft_cmd_chain_del(h, NULL, table, verbose); } cmd = nft_cmd_new(h, NFT_COMPAT_TABLE_FLUSH, table, NULL, NULL, -1, @@ -396,3 +401,23 @@ int ebt_cmd_user_chain_policy(struct nft_handle *h, const char *table, return 1; } + +int nft_cmd_rule_change_counters(struct nft_handle *h, + const char *chain, const char *table, + struct iptables_command_state *cs, + int rule_nr, uint8_t counter_op, bool verbose) +{ + struct nft_cmd *cmd; + + cmd = nft_cmd_new(h, NFT_COMPAT_RULE_CHANGE_COUNTERS, table, chain, + rule_nr == -1 ? cs : NULL, rule_nr, verbose); + if (!cmd) + return 0; + + cmd->counter_op = counter_op; + cmd->counters = cs->counters; + + nft_cache_level_set(h, NFT_CL_RULES, cmd); + + return 1; +} |