From: "Christian Göttsche" <cgzones@googlemail.com>
To: netfilter-devel@vger.kernel.org
Subject: [RFC 4/4] src: add ability to reset secmarks
Date: Wed, 20 Nov 2019 18:43:57 +0100 [thread overview]
Message-ID: <20191120174357.26112-4-cgzones@googlemail.com> (raw)
In-Reply-To: <20191120174357.26112-1-cgzones@googlemail.com>
Add the ability to reset secmark associations between the user-end string representation and the kernel intern secid.
This allows a lightweight reset, without reloading the whole configuration and resetting all counters etc. .
*TODO*:
Pablo suggested to drop this change.
Are the actual objects in the kernel not destroyed and recreated?
Or is this functionality useless?
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
src/evaluate.c | 2 ++
src/parser_bison.y | 12 ++++++++++++
src/rule.c | 6 ++++++
3 files changed, 20 insertions(+)
diff --git a/src/evaluate.c b/src/evaluate.c
index 740d3c30..cebc33d3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3982,8 +3982,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd)
switch (cmd->obj) {
case CMD_OBJ_COUNTER:
case CMD_OBJ_QUOTA:
+ case CMD_OBJ_SECMARK:
case CMD_OBJ_COUNTERS:
case CMD_OBJ_QUOTAS:
+ case CMD_OBJ_SECMARKS:
if (cmd->handle.table.name == NULL)
return 0;
if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 707f4671..eb767547 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1375,6 +1375,18 @@ reset_cmd : COUNTERS ruleset_spec
{
$$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL);
}
+ | SECMARKS ruleset_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL);
+ }
+ | SECMARKS TABLE table_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL);
+ }
+ | SECMARK obj_spec
+ {
+ $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL);
+ }
;
flush_cmd : TABLE table_spec
diff --git a/src/rule.c b/src/rule.c
index 4abc13c9..08b04827 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2539,6 +2539,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd)
case CMD_OBJ_QUOTA:
type = NFT_OBJECT_QUOTA;
break;
+ case CMD_OBJ_SECMARKS:
+ dump = true;
+ /* fall through */
+ case CMD_OBJ_SECMARK:
+ type = NFT_OBJECT_SECMARK;
+ break;
default:
BUG("invalid command object type %u\n", cmd->obj);
}
--
2.24.0
next prev parent reply other threads:[~2019-11-20 17:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 17:43 [RFC 1/4] statement: make secmark statements idempotent Christian Göttsche
2019-11-20 17:43 ` [RFC 2/4] src: add ability to set/get secmarks to/from connection Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-21 13:27 ` Pablo Neira Ayuso
2019-11-20 17:43 ` [RFC 3/4] files: add example secmark config Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-20 17:43 ` Christian Göttsche [this message]
2019-11-21 13:08 ` [RFC 4/4] src: add ability to reset secmarks Pablo Neira Ayuso
2019-11-21 13:05 ` [RFC 1/4] statement: make secmark statements idempotent Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191120174357.26112-4-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.