xtables: allow to zero chains via -Z
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft.c b/iptables/nft.c
index a67f875..365086b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2859,3 +2859,64 @@
return 0;
}
+
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain,
+ const char *table)
+{
+ struct nft_chain_list *list;
+ struct nft_chain_list_iter *iter;
+ struct nft_chain *c;
+ struct nlmsghdr *nlh;
+ char buf[MNL_SOCKET_BUFFER_SIZE];
+ int ret = 0;
+
+ list = nft_chain_list_get(h);
+ if (list == NULL)
+ goto err;
+
+ iter = nft_chain_list_iter_create(list);
+ if (iter == NULL) {
+ DEBUGP("cannot allocate rule list iterator\n");
+ return 0;
+ }
+
+ c = nft_chain_list_iter_next(iter);
+ while (c != NULL) {
+ const char *chain_name =
+ nft_chain_attr_get(c, NFT_CHAIN_ATTR_NAME);
+ const char *chain_table =
+ nft_chain_attr_get(c, NFT_CHAIN_ATTR_TABLE);
+
+ if (strcmp(table, chain_table) != 0)
+ goto next;
+
+ if (chain != NULL && strcmp(chain, chain_name) != 0)
+ goto next;
+
+ nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_PACKETS, 0);
+ nft_chain_attr_set_u64(c, NFT_CHAIN_ATTR_BYTES, 0);
+
+ nft_chain_attr_unset(c, NFT_CHAIN_ATTR_HANDLE);
+
+ nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN,
+ h->family, NLM_F_ACK, h->seq);
+
+ nft_chain_nlmsg_build_payload(nlh, c);
+
+ ret = mnl_talk(h, nlh, NULL, NULL);
+ if (ret < 0)
+ perror("mnl_talk:nft_chain_zero_counters");
+
+next:
+ c = nft_chain_list_iter_next(iter);
+ }
+
+ nft_chain_list_iter_destroy(iter);
+
+err:
+ nft_chain_list_free(list);
+
+ /* the core expects 1 for success and 0 for error */
+ return ret == 0 ? 1 : 0;
+}
+
diff --git a/iptables/nft.h b/iptables/nft.h
index 8d5881d..082260e 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -42,6 +42,7 @@
int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *table);
int nft_chain_user_del(struct nft_handle *h, const char *chain, const char *table);
int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *table, const char *newname);
+int nft_chain_zero_counters(struct nft_handle *h, const char *chain, const char *table);
/*
* Operations with rule-set.
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 688844e..ca057d3 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -549,14 +549,6 @@
}
static int
-zero_entries(const xt_chainlabel chain, int verbose,
- struct xtc_handle *handle)
-{
- /* XXX iterate over chains and reset counters */
- return 1;
-}
-
-static int
list_entries(struct nft_handle *h, const char *chain, const char *table,
int rulenum, int verbose, int numeric, int expanded,
int linenumbers)
@@ -1187,8 +1179,7 @@
ret = nft_rule_flush(h, chain, *table);
break;
case CMD_ZERO:
- /* FIXME */
-// ret = zero_entries(chain, cs.options&OPT_VERBOSE, *handle);
+ ret = nft_chain_zero_counters(h, chain, *table);
break;
case CMD_ZERO_NUM:
/* FIXME */
@@ -1197,28 +1188,26 @@
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
case CMD_LIST|CMD_ZERO_NUM:
- /* FIXME */
ret = list_entries(h, chain, *table,
rulenum,
cs.options&OPT_VERBOSE,
cs.options&OPT_NUMERIC,
cs.options&OPT_EXPANDED,
cs.options&OPT_LINENUMBERS);
-/* if (ret && (command & CMD_ZERO))
- ret = zero_entries(chain,
- cs.options&OPT_VERBOSE, *handle);
- if (ret && (command & CMD_ZERO_NUM))
+ if (ret && (command & CMD_ZERO))
+ ret = nft_chain_zero_counters(h, chain, *table);
+ /* FIXME */
+/* if (ret && (command & CMD_ZERO_NUM))
ret = iptc_zero_counter(chain, rulenum, *handle); */
break;
case CMD_LIST_RULES:
case CMD_LIST_RULES|CMD_ZERO:
case CMD_LIST_RULES|CMD_ZERO_NUM:
- /* FIXME */
ret = list_rules(h, chain, *table, rulenum, cs.options&OPT_VERBOSE);
-/* if (ret && (command & CMD_ZERO))
- ret = zero_entries(chain,
- cs.options&OPT_VERBOSE, *handle);
- if (ret && (command & CMD_ZERO_NUM))
+ if (ret && (command & CMD_ZERO))
+ ret = nft_chain_zero_counters(h, chain, *table);
+ /* FIXME */
+/* if (ret && (command & CMD_ZERO_NUM))
ret = iptc_zero_counter(chain, rulenum, *handle); */
break;
case CMD_NEW_CHAIN:
