From 2eb1c30d55f1433e11275f85a97d3694188ecc40 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 6 Dec 2013 10:24:20 +0100 Subject: src: fix rule flushing atomically nft is currently retrieving the list of rule from the kernel, then deleting each rule one by one. This is slow and not safe. Fix it by sending a deletion command in a batch without specifying the chain. This change requires the kernel fix entitled: netfilter: nf_tables: fix missing rules flushing per table Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) (limited to 'src') diff --git a/src/netlink.c b/src/netlink.c index 533634af..cab8cf4b 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -422,43 +422,10 @@ static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h, return 0; } -static int flush_rule_cb(struct nft_rule *nlr, void *arg) -{ - struct netlink_ctx *ctx = arg; - const struct handle *h = ctx->data; - int err; - - if ((h->table && - strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE), h->table) != 0) || - (h->chain && - strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN), h->chain) != 0)) - return 0; - - netlink_dump_rule(nlr); - err = mnl_nft_rule_batch_del(nlr, 0, ctx->seqnum); - if (err < 0) { - netlink_io_error(ctx, NULL, "Could not delete rule: %s", - strerror(errno)); - return err; - } - return 0; -} - static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h, const struct location *loc) { - struct nft_rule_list *rule_cache; - - rule_cache = mnl_nft_rule_dump(nf_sock, h->family); - if (rule_cache == NULL) - return netlink_io_error(ctx, loc, - "Could not receive rules from kernel: %s", - strerror(errno)); - - ctx->data = h; - nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx); - nft_rule_list_free(rule_cache); - return 0; + return netlink_del_rule_batch(ctx, h, loc); } void netlink_dump_chain(struct nft_chain *nlc) -- cgit v1.2.3