xtables: allow to reset the counters of an existing rule
Now that we convert nft rules to native xt command structure, it's
easier to reset the counters by replacing the existing rule by a
new one with all counters set to zero.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft.c b/iptables/nft.c
index 5c79455..143293b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2091,6 +2091,41 @@
return ret;
}
+int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
+ const char *table, int rulenum)
+{
+ struct iptables_command_state cs = {};
+ struct nft_rule_list *list;
+ struct nft_rule *r;
+ int ret = 0;
+
+ nft_fn = nft_rule_delete;
+
+ list = nft_rule_list_create(h);
+ if (list == NULL)
+ return 0;
+
+ r = nft_rule_find(list, chain, table, NULL, rulenum);
+ if (r == NULL) {
+ errno = ENOENT;
+ ret = 1;
+ goto error;
+ }
+
+ nft_rule_to_iptables_command_state(r, &cs);
+
+ cs.counters.pcnt = cs.counters.bcnt = 0;
+
+ ret = nft_rule_append(h, chain, table, &cs,
+ nft_rule_attr_get_u64(r, NFT_RULE_ATTR_HANDLE),
+ false);
+
+error:
+ nft_rule_list_destroy(list);
+
+ return ret;
+}
+
static int nft_action(struct nft_handle *h, int type)
{
char buf[MNL_SOCKET_BUFFER_SIZE];
diff --git a/iptables/nft.h b/iptables/nft.h
index 006c031..fe1b9c8 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -81,6 +81,7 @@
int nft_rule_list_save(struct nft_handle *h, const char *chain, const char *table, int rulenum, int counters);
int nft_rule_save(struct nft_handle *h, const char *table, bool counters);
int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table);
+int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *table, int rulenum);
enum nft_rule_print {
NFT_RULE_APPEND,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 3e6092f..279b77b 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1173,8 +1173,7 @@
ret = nft_chain_zero_counters(h, chain, *table);
break;
case CMD_ZERO_NUM:
- /* FIXME */
-// ret = iptc_zero_counter(chain, rulenum, *handle);
+ ret = nft_rule_zero_counters(h, chain, *table, rulenum - 1);
break;
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
@@ -1187,9 +1186,9 @@
cs.options&OPT_LINENUMBERS);
if (ret && (command & CMD_ZERO))
ret = nft_chain_zero_counters(h, chain, *table);
- /* FIXME */
-/* if (ret && (command & CMD_ZERO_NUM))
- ret = iptc_zero_counter(chain, rulenum, *handle); */
+ if (ret && (command & CMD_ZERO_NUM))
+ ret = nft_rule_zero_counters(h, chain, *table,
+ rulenum - 1);
break;
case CMD_LIST_RULES:
case CMD_LIST_RULES|CMD_ZERO:
@@ -1197,9 +1196,9 @@
ret = list_rules(h, chain, *table, rulenum, cs.options&OPT_VERBOSE);
if (ret && (command & CMD_ZERO))
ret = nft_chain_zero_counters(h, chain, *table);
- /* FIXME */
-/* if (ret && (command & CMD_ZERO_NUM))
- ret = iptc_zero_counter(chain, rulenum, *handle); */
+ if (ret && (command & CMD_ZERO_NUM))
+ ret = nft_rule_zero_counters(h, chain, *table,
+ rulenum - 1);
break;
case CMD_NEW_CHAIN:
ret = nft_chain_user_add(h, chain, *table);
