Message ID | 20191120174357.26112-4-cgzones@googlemail.com |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
Series | [RFC,1/4] statement: make secmark statements idempotent | expand |
On Wed, Nov 20, 2019 at 06:43:57PM +0100, Christian Göttsche wrote: > Add the ability to reset secmark associations between the user-end string representation and the kernel intern secid. > This allows a lightweight reset, without reloading the whole configuration and resetting all counters etc. . > > *TODO*: > Pablo suggested to drop this change. > Are the actual objects in the kernel not destroyed and recreated? > Or is this functionality useless? The reset command is useful for stateful objects that collect some internal state. Basically, reset allows you to list the existing object state and reset it, eg. counters. In this case, secmark is not a stateful object, unless I'm missing anything, I think we can skip this.
diff --git a/src/evaluate.c b/src/evaluate.c index 740d3c30..cebc33d3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3982,8 +3982,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd) switch (cmd->obj) { case CMD_OBJ_COUNTER: case CMD_OBJ_QUOTA: + case CMD_OBJ_SECMARK: case CMD_OBJ_COUNTERS: case CMD_OBJ_QUOTAS: + case CMD_OBJ_SECMARKS: if (cmd->handle.table.name == NULL) return 0; if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL) diff --git a/src/parser_bison.y b/src/parser_bison.y index 707f4671..eb767547 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1375,6 +1375,18 @@ reset_cmd : COUNTERS ruleset_spec { $$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL); } + | SECMARKS ruleset_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL); + } + | SECMARKS TABLE table_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL); + } + | SECMARK obj_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } ; flush_cmd : TABLE table_spec diff --git a/src/rule.c b/src/rule.c index 4abc13c9..08b04827 100644 --- a/src/rule.c +++ b/src/rule.c @@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_QUOTA: type = NFT_OBJECT_QUOTA; break; + case CMD_OBJ_SECMARKS: + dump = true; + /* fall through */ + case CMD_OBJ_SECMARK: + type = NFT_OBJECT_SECMARK; + break; default: BUG("invalid command object type %u\n", cmd->obj); }
Add the ability to reset secmark associations between the user-end string representation and the kernel intern secid. This allows a lightweight reset, without reloading the whole configuration and resetting all counters etc. . *TODO*: Pablo suggested to drop this change. Are the actual objects in the kernel not destroyed and recreated? Or is this functionality useless? Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- src/evaluate.c | 2 ++ src/parser_bison.y | 12 ++++++++++++ src/rule.c | 6 ++++++ 3 files changed, 20 insertions(+)