Commit 5e266fe7 authored by Arturo Borrero's avatar Arturo Borrero Committed by Pablo Neira Ayuso

netfilter: nf_tables: refactor rule deletion helper

This helper function always schedule the rule to be removed in the following
transaction.
In follow-up patches, it is interesting to handle separately the logic of rule
activation/disactivation from the transaction mechanism.

So, this patch simply splits the original nf_tables_delrule_one() in two
functions, allowing further control.

While at it, for the sake of homigeneize the function naming scheme, let's
rename nf_tables_delrule_one() to nft_delrule().
Signed-off-by: default avatarArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 876665ea
...@@ -1868,12 +1868,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb, ...@@ -1868,12 +1868,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
} }
static int static int
nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule) nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
{ {
/* You cannot delete the same rule twice */ /* You cannot delete the same rule twice */
if (nft_rule_is_active_next(ctx->net, rule)) { if (nft_rule_is_active_next(ctx->net, rule)) {
if (nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule) == NULL)
return -ENOMEM;
nft_rule_disactivate_next(ctx->net, rule); nft_rule_disactivate_next(ctx->net, rule);
ctx->chain->use--; ctx->chain->use--;
return 0; return 0;
...@@ -1881,13 +1879,31 @@ nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule) ...@@ -1881,13 +1879,31 @@ nf_tables_delrule_one(struct nft_ctx *ctx, struct nft_rule *rule)
return -ENOENT; return -ENOENT;
} }
static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
{
struct nft_trans *trans;
int err;
trans = nft_trans_rule_add(ctx, NFT_MSG_DELRULE, rule);
if (trans == NULL)
return -ENOMEM;
err = nf_tables_delrule_deactivate(ctx, rule);
if (err < 0) {
nft_trans_destroy(trans);
return err;
}
return 0;
}
static int nf_table_delrule_by_chain(struct nft_ctx *ctx) static int nf_table_delrule_by_chain(struct nft_ctx *ctx)
{ {
struct nft_rule *rule; struct nft_rule *rule;
int err; int err;
list_for_each_entry(rule, &ctx->chain->rules, list) { list_for_each_entry(rule, &ctx->chain->rules, list) {
err = nf_tables_delrule_one(ctx, rule); err = nft_delrule(ctx, rule);
if (err < 0) if (err < 0)
return err; return err;
} }
...@@ -1932,7 +1948,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb, ...@@ -1932,7 +1948,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
if (IS_ERR(rule)) if (IS_ERR(rule))
return PTR_ERR(rule); return PTR_ERR(rule);
err = nf_tables_delrule_one(&ctx, rule); err = nft_delrule(&ctx, rule);
} else { } else {
err = nf_table_delrule_by_chain(&ctx); err = nf_table_delrule_by_chain(&ctx);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment