From 7c568680e2d904b5332e398a2a329ecdb94f897e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Dec 2016 01:14:10 +0100
Subject: mnl: add mnl_nft_setelem_batch_flush() and use it from
 netlink_flush_setelems()

Commit 8bd99f2fca7e ("mnl: don't send empty set elements netlink message
to kernel") broke set flush because we still need to send the netlink
message with no elements to flush sets.

To avoid more whack-a-mole games, add a new explicit function
mnl_nft_setelem_batch_flush() that is used to request a set flush,
instead of reusing the one that allows us to explicitly delete given set
elements.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/mnl.h |  2 ++
 src/mnl.c     | 15 +++++++++++++++
 src/netlink.c | 14 +++++++++++++-
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/include/mnl.h b/include/mnl.h
index f74dfee5..87db96af 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -82,6 +82,8 @@ int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nftnl_set *nls,
 			   unsigned int flags);
 int mnl_nft_setelem_batch_del(struct nftnl_set *nls,
 			      unsigned int flags, uint32_t seq);
+int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, unsigned int flags,
+				uint32_t seqnum);
 int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls);
 
 struct nftnl_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
diff --git a/src/mnl.c b/src/mnl.c
index d107015c..257b630e 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -902,6 +902,21 @@ int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
 	return mnl_nft_setelem_batch(nls, NFT_MSG_NEWSETELEM, flags, seqnum);
 }
 
+int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, unsigned int flags,
+				uint32_t seqnum)
+{
+	struct nlmsghdr *nlh;
+
+	nlh = nftnl_set_elem_nlmsg_build_hdr(nftnl_batch_buffer(batch),
+			NFT_MSG_DELSETELEM,
+			nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
+			NLM_F_CREATE | flags, seqnum);
+	nftnl_set_elems_nlmsg_build_payload(nlh, nls);
+	mnl_nft_batch_continue();
+
+	return 0;
+}
+
 int mnl_nft_setelem_batch_del(struct nftnl_set *nls, unsigned int flags,
 			      uint32_t seqnum)
 {
diff --git a/src/netlink.c b/src/netlink.c
index 714df4e8..d6d00199 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1410,7 +1410,19 @@ static int netlink_del_setelems_compat(struct netlink_ctx *ctx,
 int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h,
 			   const struct location *loc)
 {
-	return netlink_del_setelems_batch(ctx, h, NULL);
+	struct nftnl_set *nls;
+	int err;
+
+	nls = alloc_nftnl_set(h);
+	netlink_dump_set(nls);
+
+	err = mnl_nft_setelem_batch_flush(nls, 0, ctx->seqnum);
+	nftnl_set_free(nls);
+	if (err < 0)
+		netlink_io_error(ctx, loc,
+				 "Could not flush set elements: %s",
+				 strerror(errno));
+	return err;
 }
 
 static struct expr *netlink_parse_concat_elem(const struct datatype *dtype,
-- 
cgit v1.2.3