[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: [PATCH] support for ipnatctl -F (flush)
From: Marc Boucher <marc () mbsi ! ca>
Date: 1999-10-29 16:54:46
[Download RAW message or body]
This is a multipart MIME message.
1999-10-29 Marc Boucher <marc@mbsi.ca>
* NAT/userspace/ipnatctl.c: Added -F option to flush all rules.
* NAT/userspace/ipnatctl.8: Added documentation for -F option.
* NAT/ip_nat_rule.c: Added delete_rules() function, called upon
IP_NAT_SO_SET_DELETE with len == 0.
["netfilter-0.1.11-natflush.patch" (application/x-patch)]
--- netfilter/NAT/ip_nat_rule.c 1999/10/29 14:08:20 1.1
+++ netfilter/NAT/ip_nat_rule.c 1999/10/29 16:03:18
@@ -459,7 +459,8 @@
/* This can't be used to delete expected rules, since the precedence
calculated here won't match the 0 used in ip_nat_expect() above. */
-static int delete_rule(const struct ip_nat_rule_user *ruleuser,
+static int
+delete_rule(const struct ip_nat_rule_user *ruleuser,
struct ip_nat_mapping_type *mtype,
unsigned int optlen)
{
@@ -543,6 +544,46 @@
}
static int
+delete_rules()
+{
+ struct list_head *i;
+ enum ip_nat_manip_type maniptype;
+
+ READ_LOCK(&ip_nat_lock);
+ for (maniptype = IP_NAT_MANIP_SRC;
+ maniptype <= IP_NAT_MANIP_DST;
+ maniptype++) {
+ for (i = nat_rules[maniptype].next;
+ i != &nat_rules[maniptype];
+ i = i->next) {
+ struct ip_nat_rule *rule = (struct ip_nat_rule *)i;
+
+ if (rule->dead || (rule->mtype == &mapping_expect)) {
+ continue;
+ }
+
+ atomic_inc(&rule->use);
+ READ_UNLOCK(&ip_nat_lock);
+
+ /* Deleting it altogether: dec use count. */
+ if (rule->mtype && rule->mtype->me)
+ __MOD_DEC_USE_COUNT(rule->mtype->me);
+
+ /* Drop home reference. */
+ rule->dead = 1;
+ ip_nat_rule_put(rule);
+
+ READ_LOCK(&ip_nat_lock);
+ i = nat_rules[maniptype].next;
+ }
+ }
+
+ READ_UNLOCK(&ip_nat_lock);
+
+ return 0;
+}
+
+static int
do_ip_nat_set_ctl(struct sock *sk, int cmd, void *user, unsigned int len)
{
int ret;
@@ -552,6 +593,10 @@
if (!capable(CAP_NET_ADMIN))
return -EPERM;
+ if (cmd == IP_NAT_SO_SET_DELETE && len == 0) {
+ return delete_rules();
+ }
+
/* len > 128000 is a sanity check. */
if (len < sizeof(struct ip_nat_rule_user) || len > 128000) {
DEBUGP("IP_NAT_SO_INSERT/DELETE: len %u < %u\n",
--- netfilter/NAT/userspace/ipnatctl.8 1999/10/29 14:17:00 1.1
+++ netfilter/NAT/userspace/ipnatctl.8 1999/10/29 14:18:27
@@ -24,7 +24,7 @@
.SH NAME
ipnatctl \- IP NAT administration
.SH SYNOPSIS
-.BR "ipnatctl -[ID] [-n]" "<input spec> <mapping>"
+.BR "ipnatctl -[IDF] [-n]" "<input spec> <mapping>"
.br
.B "iptables -L"
.SH DESCRIPTION
@@ -47,7 +47,7 @@
specifying it exactly following the
.B -D
flag; an error will be given if no such rules exist. Rules consist of
-an input specification, and a mapping.
+an input specification, and a mapping. All rules can be removed with the -F (flush) flag.
The
.B -n
--- netfilter/NAT/userspace/ipnatctl.c 1999/10/29 14:15:56 1.1
+++ netfilter/NAT/userspace/ipnatctl.c 1999/10/29 14:42:03
@@ -82,7 +82,7 @@
fprintf(stderr,
"\nipnatctl v%s\nUsage: "
- " ipnatctl -[ID] [-n] <input spec> <mapping>\n"
+ " ipnatctl -[IDF] [-n] <input spec> <mapping>\n"
" ipnatctl -L\n\n", NETFILTER_VERSION);
fprintf(stderr,
@@ -494,7 +494,7 @@
int did_binding = 0;
*op = 0;
- while ((c = getopt_long(argc, argv, "LIDns:d:p:m:t:b:i:o:", opts, NULL))
+ while ((c = getopt_long(argc, argv, "LIDFns:d:p:m:t:b:i:o:", opts, NULL))
!= -1) {
switch (c) {
case 'L':
@@ -509,6 +509,11 @@
*op = IP_NAT_SO_SET_DELETE;
break;
+ case 'F':
+ *op = IP_NAT_SO_SET_DELETE;
+ *rulesize = 0;
+ break;
+
case 'n':
no_lookup = 1;
break;
@@ -592,11 +597,11 @@
if (optind < argc)
print_usage("unknown arguments found on commandline");
- if (!did_binding)
+ if (!did_binding && !(*op == IP_NAT_SO_SET_DELETE && *rulesize == 0))
print_usage("Need --binding-type/-b option.");
if (!*op)
- print_usage("Need -L, -I or -D.");
+ print_usage("Need -L, -I, -D or -F.");
return rule;
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic