'[PATCH] UPDATED - support for ipnatctl -F (flush)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    [PATCH] UPDATED - support for ipnatctl -F (flush)
From:       Marc Boucher <marc () mbsi ! ca>
Date:       1999-10-29 16:56:05
[Download RAW message or body]

This is a multipart MIME message.


Rusty,

This supersedes the netfilter-0.1.11-natflush.patch I previously posted.

1999-10-29  Marc Boucher <marc@mbsi.ca>

	* NAT/userspace/ipnatctl.c: Added -F option to flush all rules.

        * NAT/userspace/ipnatctl.8: Added documentation for -F option.

        * NAT/ip_nat_rule.c: Added delete_rules() function, called upon
	IP_NAT_SO_SET_DELETE with len == 0.


["netfilter-0.1.11-natflush_rev2.patch" (application/x-patch)]

--- netfilter/NAT/ip_nat_rule.c	1999/10/29 14:08:20	1.1
+++ netfilter/NAT/ip_nat_rule.c	1999/10/29 16:32:09
@@ -459,7 +459,8 @@
 
 /* This can't be used to delete expected rules, since the precedence
    calculated here won't match the 0 used in ip_nat_expect() above. */
-static int delete_rule(const struct ip_nat_rule_user *ruleuser,
+static int
+delete_rule(const struct ip_nat_rule_user *ruleuser,
 		       struct ip_nat_mapping_type *mtype,
 		       unsigned int optlen)
 {
@@ -543,6 +544,47 @@
 }
 
 static int
+delete_rules()
+{
+	struct list_head *i;
+	enum ip_nat_manip_type maniptype;
+
+	READ_LOCK(&ip_nat_lock);
+	for (maniptype = IP_NAT_MANIP_SRC;
+	     maniptype <= IP_NAT_MANIP_DST;
+	     maniptype++) {
+		for (i = nat_rules[maniptype].next;
+		     i != &nat_rules[maniptype];
+		     i = i->next) {
+			struct ip_nat_rule *rule = (struct ip_nat_rule *)i;
+
+			if (rule->dead || (rule->mtype == &mapping_expect)) {
+				continue;
+			}
+
+			atomic_inc(&rule->use);
+			READ_UNLOCK(&ip_nat_lock);
+
+			/* Deleting it altogether: dec use count. */
+			if (rule->mtype && rule->mtype->me)
+				__MOD_DEC_USE_COUNT(rule->mtype->me);
+
+			rule->dead = 1;
+			ip_nat_rule_put(rule); /* Drop home reference. */
+
+			ip_nat_rule_put(rule);
+
+			READ_LOCK(&ip_nat_lock);
+			i = nat_rules[maniptype].next;
+		}
+	}
+
+	READ_UNLOCK(&ip_nat_lock);
+
+	return 0;
+}
+
+static int
 do_ip_nat_set_ctl(struct sock *sk, int cmd, void *user, unsigned int len)
 {
 	int ret;
@@ -552,6 +594,10 @@
 	if (!capable(CAP_NET_ADMIN))
 		return -EPERM;
 
+	if (cmd == IP_NAT_SO_SET_DELETE && len == 0) {
+		return delete_rules();
+	}
+
 	/* len > 128000 is a sanity check. */
 	if (len < sizeof(struct ip_nat_rule_user) || len > 128000) {
 		DEBUGP("IP_NAT_SO_INSERT/DELETE: len %u < %u\n",
--- netfilter/NAT/userspace/ipnatctl.8	1999/10/29 14:17:00	1.1
+++ netfilter/NAT/userspace/ipnatctl.8	1999/10/29 16:32:25
@@ -24,7 +24,7 @@
 .SH NAME
 ipnatctl \- IP NAT administration
 .SH SYNOPSIS
-.BR "ipnatctl -[ID] [-n]" "<input spec> <mapping>"
+.BR "ipnatctl -[IDF] [-n]" "<input spec> <mapping>"
 .br
 .B "iptables -L"
 .SH DESCRIPTION
@@ -47,7 +47,7 @@
 specifying it exactly following the
 .B -D
 flag; an error will be given if no such rules exist.  Rules consist of
-an input specification, and a mapping.
+an input specification, and a mapping. All rules can be removed at once with the -F (flush) flag.
 
 The 
 .B -n
--- netfilter/NAT/userspace/ipnatctl.c	1999/10/29 14:15:56	1.1
+++ netfilter/NAT/userspace/ipnatctl.c	1999/10/29 14:42:03
@@ -82,7 +82,7 @@
 
 	fprintf(stderr,
 		"\nipnatctl v%s\nUsage: "
-		"   ipnatctl -[ID] [-n] <input spec> <mapping>\n"
+		"   ipnatctl -[IDF] [-n] <input spec> <mapping>\n"
 		"   ipnatctl -L\n\n", NETFILTER_VERSION);
 
 	fprintf(stderr,
@@ -494,7 +494,7 @@
 	int did_binding = 0;
 
 	*op = 0;
-	while ((c = getopt_long(argc, argv, "LIDns:d:p:m:t:b:i:o:", opts, NULL))
+	while ((c = getopt_long(argc, argv, "LIDFns:d:p:m:t:b:i:o:", opts, NULL))
 	       != -1) {
 		switch (c) {
 		case 'L':
@@ -509,6 +509,11 @@
 			*op = IP_NAT_SO_SET_DELETE;
 			break;
 
+		case 'F':
+			*op = IP_NAT_SO_SET_DELETE;
+			*rulesize = 0;
+			break;
+
 		case 'n':
 			no_lookup = 1;
 			break;
@@ -592,11 +597,11 @@
 	if (optind < argc)
 		print_usage("unknown arguments found on commandline");
 
-	if (!did_binding)
+	if (!did_binding && !(*op == IP_NAT_SO_SET_DELETE && *rulesize == 0))
 		print_usage("Need --binding-type/-b option.");
 
 	if (!*op)
-		print_usage("Need -L, -I or -D.");
+		print_usage("Need -L, -I, -D or -F.");
 
 	return rule;
 }


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic