diff mbox

[nft] mnl: add mnl_nft_setelem_batch_flush() and use it from netlink_flush_setelems()

Message ID 1482193426-11645-1-git-send-email-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Pablo Neira Ayuso Dec. 20, 2016, 12:23 a.m. UTC 
Commit 8bd99f2fca7e ("mnl: don't send empty set elements netlink message
to kernel") broke set flush because we still need to send the set
element netlink message header with no payload to flush sets.

To avoid more whack-a-mole games, add a new explicit function
mnl_nft_setelem_batch_flush() that is used to request a set flush.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/mnl.h |  2 ++
 src/mnl.c     | 15 +++++++++++++++
 src/netlink.c | 14 +++++++++++++-
 3 files changed, 30 insertions(+), 1 deletion(-)
diff mbox

Patch

diff --git a/include/mnl.h b/include/mnl.h
index f74dfee5c8c6..87db96afd369 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -82,6 +82,8 @@  int mnl_nft_setelem_delete(struct mnl_socket *nf_sock, struct nftnl_set *nls,
 			   unsigned int flags);
 int mnl_nft_setelem_batch_del(struct nftnl_set *nls,
 			      unsigned int flags, uint32_t seq);
+int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, unsigned int flags,
+				uint32_t seqnum);
 int mnl_nft_setelem_get(struct mnl_socket *nf_sock, struct nftnl_set *nls);
 
 struct nftnl_ruleset *mnl_nft_ruleset_dump(struct mnl_socket *nf_sock,
diff --git a/src/mnl.c b/src/mnl.c
index d107015c2743..257b630e2a26 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -902,6 +902,21 @@  int mnl_nft_setelem_batch_add(struct nftnl_set *nls, unsigned int flags,
 	return mnl_nft_setelem_batch(nls, NFT_MSG_NEWSETELEM, flags, seqnum);
 }
 
+int mnl_nft_setelem_batch_flush(struct nftnl_set *nls, unsigned int flags,
+				uint32_t seqnum)
+{
+	struct nlmsghdr *nlh;
+
+	nlh = nftnl_set_elem_nlmsg_build_hdr(nftnl_batch_buffer(batch),
+			NFT_MSG_DELSETELEM,
+			nftnl_set_get_u32(nls, NFTNL_SET_FAMILY),
+			NLM_F_CREATE | flags, seqnum);
+	nftnl_set_elems_nlmsg_build_payload(nlh, nls);
+	mnl_nft_batch_continue();
+
+	return 0;
+}
+
 int mnl_nft_setelem_batch_del(struct nftnl_set *nls, unsigned int flags,
 			      uint32_t seqnum)
 {
diff --git a/src/netlink.c b/src/netlink.c
index 714df4e892b2..d6d00199d746 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1410,7 +1410,19 @@  static int netlink_del_setelems_compat(struct netlink_ctx *ctx,
 int netlink_flush_setelems(struct netlink_ctx *ctx, const struct handle *h,
 			   const struct location *loc)
 {
-	return netlink_del_setelems_batch(ctx, h, NULL);
+	struct nftnl_set *nls;
+	int err;
+
+	nls = alloc_nftnl_set(h);
+	netlink_dump_set(nls);
+
+	err = mnl_nft_setelem_batch_flush(nls, 0, ctx->seqnum);
+	nftnl_set_free(nls);
+	if (err < 0)
+		netlink_io_error(ctx, loc,
+				 "Could not flush set elements: %s",
+				 strerror(errno));
+	return err;
 }
 
 static struct expr *netlink_parse_concat_elem(const struct datatype *dtype,