Code changes

Signed-off-by: Serguei Bezverkhi <sbezverk@cisco.com>

nfrules.go

@@ -28,6 +28,7 @@ type RulesInterface interface {
 // RuleFuncs defines funcations to operate with Rules
 type RuleFuncs interface {
 	Create(string, *Rule) (uint32, error)
+	Delete(uint32) error
 	Insert(string, *Rule, uint64) (uint32, error)
 	Dump() ([]byte, error)
 	UpdateRulesHandle() error
@@ -108,6 +109,22 @@ func (nfr *nfRules) Create(name string, rule *Rule) (uint32, error) {
 	return rr.id, nil
 }
 
+func (nfr *nfRules) Delete(id uint32) error {
+	r, err := getRuleByID(nfr.rules, id)
+	if err != nil {
+		return err
+	}
+	// If rule's handle is 0, it means it has not been already programmed
+	// then no reason to call netfilter module
+	if r.rule.Handle != 0 {
+		if err := nfr.conn.DelRule(r.rule); err != nil {
+			return err
+		}
+	}
+
+	return nfr.removeRule(r.id)
+}
+
 // Insert inserts a rule passed as a parameter before the rule which handle value matches
 // the value of position passed as an argument.
 // Example: rule1 has handle of 5, you want to insert rule2 before rule1, then position for rule2 will be 5

nfruleslist.go

@@ -91,3 +91,13 @@ func getLast(e *nfRule) *nfRule {
 	}
 	return getLast(e.next)
 }
+
+func getRuleByID(e *nfRule, id uint32) (*nfRule, error) {
+	if e == nil {
+		return nil, fmt.Errorf("rule with id %d not found", id)
+	}
+	if e.rule.RuleID == id {
+		return e, nil
+	}
+	return getRuleByID(e.next, id)
+}

nftables.go

@@ -17,6 +17,7 @@ type NetNS interface {
 	AddTable(*nftables.Table) *nftables.Table
 	AddChain(*nftables.Chain) *nftables.Chain
 	AddRule(*nftables.Rule) *nftables.Rule
+	DelRule(*nftables.Rule) error
 	AddSet(*nftables.Set, []nftables.SetElement) error
 	GetRuleHandle(t *nftables.Table, c *nftables.Chain, ruleID uint32) (uint64, error)
 }