Any create/update/delete operation that returns a validation or
marshalling error can leave the message batch in an incomplete state
due to short-circuiting. This can result in either:
- Non-atomic transactions if Flush is called (incomplete batch)
- Users being unable to clear the incomplete batch (no API exposed)
This change ensures that errors are collected and deferred until Flush.
Instead of returning immediately, the following methods now append
errors to a slice checked at Flush:
- AddSet
- DelRule
- SetAddElements
See: https://github.com/google/nftables/issues/323
This change makes it possible to delete rules after inserting them,
without needing to query the rules first. Additionally, this allows
positioning a new rule next to an existing rule.
There are two ways to refer to a rule: Either by ID or by handle. The ID
is assigned by userspace, and is only valid within a transaction, so it
can only be used before the flush. The handle is assigned by the kernel
when the transaction is committed, and can thus only be used after the
flush. We thus need to set an ID on each newly created rule, and
retrieve the handle of the rule during the flush.
I extended the message struct with a pointer to the Rule which the
message creates. This allows calling the reply handler callback which
sets the handle.
I updated tests to add a handle to generated replies for the
NFT_MSG_NEWRULE messages.
* Refactored obj.go to a more generic approach
* Added object support for already implemented expressions
* Added test for limit object
fixes https://github.com/google/nftables/issues/253
* Close receiver for lasting netlink connections while defaulting to existing temporary netlink connection usage
* add unit test for New lasting connection, Close and correct default connection handling behavior
* refactor tests to use New constructor
* make Conn mutex un-exported (#159)
fixes issue #157
nickgarlis
Jan Schär
turekt
Lionel Jouin
singchia
TheDiveO
Matt Layher
Alexis PIRES
Serguei Bezverkhi
Ryan Whelan