[iptables PATCH 04/27] xtables: Free chains in NFT_COMPAT_CHAIN_ADD jobs

Thu, 02 Aug 2018 08:07:53 -0700 

Chains in NFT_COMPAT_CHAIN_ADD usually have to be freed because they are
not added to the cache.

There is one exception though, namely when zeroing counters:
nft_chain_zero_counters() adds a chain object it took from chain cache.
To distinguish this situation from the others, introduce
NFT_COMPAT_CHAIN_ZERO batch object type, which is treated just like
NFT_COMPAT_CHAIN_ADD but batch_obj_del() does not free it's chain.

Signed-off-by: Phil Sutter <[email protected]>
---
 iptables/nft.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 26df1287c5188..327c19ad2c6c9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -246,6 +246,7 @@ enum obj_update_type {
        NFT_COMPAT_CHAIN_USER_FLUSH,
        NFT_COMPAT_CHAIN_UPDATE,
        NFT_COMPAT_CHAIN_RENAME,
+       NFT_COMPAT_CHAIN_ZERO,
        NFT_COMPAT_RULE_APPEND,
        NFT_COMPAT_RULE_INSERT,
        NFT_COMPAT_RULE_REPLACE,
@@ -310,6 +311,7 @@ static int mnl_append_error(const struct nft_handle *h,
                         nftnl_table_get_str(o->table, NFTNL_TABLE_NAME));
                break;
        case NFT_COMPAT_CHAIN_ADD:
+       case NFT_COMPAT_CHAIN_ZERO:
        case NFT_COMPAT_CHAIN_USER_ADD:
        case NFT_COMPAT_CHAIN_USER_DEL:
        case NFT_COMPAT_CHAIN_USER_FLUSH:
@@ -2445,9 +2447,10 @@ static void batch_obj_del(struct nft_handle *h, struct 
obj_update *o)
        case NFT_COMPAT_TABLE_FLUSH:
                nftnl_table_free(o->table);
                break;
-       case NFT_COMPAT_CHAIN_ADD:
+       case NFT_COMPAT_CHAIN_ZERO:
        case NFT_COMPAT_CHAIN_USER_ADD:
                break;
+       case NFT_COMPAT_CHAIN_ADD:
        case NFT_COMPAT_CHAIN_USER_DEL:
        case NFT_COMPAT_CHAIN_USER_FLUSH:
        case NFT_COMPAT_CHAIN_UPDATE:
@@ -2496,6 +2499,7 @@ static int nft_action(struct nft_handle *h, int action)
                                                   n->seq, n->table);
                        break;
                case NFT_COMPAT_CHAIN_ADD:
+               case NFT_COMPAT_CHAIN_ZERO:
                        nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
                                                   NLM_F_CREATE, n->seq,
                                                   n->chain);
@@ -2881,7 +2885,7 @@ int nft_chain_zero_counters(struct nft_handle *h, const 
char *chain,
 
                nftnl_chain_unset(c, NFTNL_CHAIN_HANDLE);
 
-               ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c);
+               ret = batch_chain_add(h, NFT_COMPAT_CHAIN_ZERO, c);
 
                if (chain != NULL)
                        break;
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to