Message ID | 1504475761-11454-1-git-send-email-pablo@netfilter.org |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
Series | None | expand |
I only see patches 3, 4, and 5 of this series. If this is meant for net-next inclusion, you'll have to submit it such that I see the entire series on netdev and thus in patchwork. Thanks.
On Sun, Sep 03, 2017 at 05:14:18PM -0700, David Miller wrote: > > I only see patches 3, 4, and 5 of this series. > > If this is meant for net-next inclusion, you'll have to submit it such that > I see the entire series on netdev and thus in patchwork. I'm posting this new NLM_F_NONREC for acknowledgment, if possible. I have a few more patches that follow up so I can take them through nf-next in the next batch. But I can just re-send this through your net-next tree, as you prefer.
diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h index f4fc9c9e123d..e8af60a7c56d 100644 --- a/include/uapi/linux/netlink.h +++ b/include/uapi/linux/netlink.h @@ -69,6 +69,9 @@ struct nlmsghdr { #define NLM_F_CREATE 0x400 /* Create, if it does not exist */ #define NLM_F_APPEND 0x800 /* Add to end of list */ +/* Modifiers to DELETE request */ +#define NLM_F_NONREC 0x100 /* Do not delete recursively */ + /* Flags for ACK message */ #define NLM_F_CAPPED 0x100 /* request was capped */ #define NLM_F_ACK_TLVS 0x200 /* extended ACK TVLs were included */
In the last NFWS in Faro, Portugal, we discussed that netlink is lacking the semantics to request non recursive deletions, ie. do not delete an object iff it has child objects that hang from this parent object that the user requests to be deleted. We need this new flag to solve a problem for the iptables-compat backward compatibility utility, that runs iptables commands using the existing nf_tables netlink interface. Specifically, custom chains in iptables cannot be deleted if there are rules in it, however, nf_tables allows to remove any chain that is populated with content. To sort out this asymmetry, iptables-compat userspace sets this new NLM_F_NONREC flag to obtain the same semantics that iptables provides. This new flag should only be used for deletion requests. Note this new flag value overlaps with the existing: * NLM_F_ROOT for get requests. * NLM_F_REPLACE for new requests. However, those flags should not ever be used in deletion requests. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- @David: Please, acknowledge this if you think this is fine so I can take this into the nf-next tree, given patches 4/5 and 5/5 depend on this. Thanks a lot! include/uapi/linux/netlink.h | 3 +++ 1 file changed, 3 insertions(+)