From 80d48113ed2d9d1426070405dc8ad6ed896e98f2 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Thu, 3 Oct 2013 01:08:07 +0200 Subject: netlink: only flush asked table/chain The flush operation was not limiting the flush to the table or chain specified on command line. The result was that all the rules for a given family are flush independantly of the flush command. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src') diff --git a/src/netlink.c b/src/netlink.c index 6f3002bc..f75cef76 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -425,8 +425,15 @@ static int netlink_list_rules(struct netlink_ctx *ctx, const struct handle *h, static int flush_rule_cb(struct nft_rule *nlr, void *arg) { struct netlink_ctx *ctx = arg; + const struct handle *h = ctx->data; int err; + if ((h->table && + strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_TABLE), h->table) != 0) || + (h->chain && + strcmp(nft_rule_attr_get_str(nlr, NFT_RULE_ATTR_CHAIN), h->chain) != 0)) + return 0; + netlink_dump_rule(nlr); err = mnl_nft_rule_batch_del(nlr, 0, ctx->seqnum); if (err < 0) { @@ -448,6 +455,7 @@ static int netlink_flush_rules(struct netlink_ctx *ctx, const struct handle *h, "Could not receive rules from kernel: %s", strerror(errno)); + ctx->data = h; mnl_batch_begin(); nft_rule_list_foreach(rule_cache, flush_rule_cb, ctx); nft_rule_list_free(rule_cache); -- cgit v1.2.3