I have no idea really why the old status was passed, since the function (re-)writes the status for all currently allowed destinations anyway. Preserving the old status gives you an insight to previously enabled destinations, but I think doing that in this way is more confusing that useful.
There is one edge case where you can still have an outdated state in fqdn_state, but I think it is probably not really relevant:
When you have a matchPattern statement without a matching entry in the DNS cache you get an empty statement like this:
'*.f-i-ts.de': []
When you delete the statement from the rule, that empty entry remains - probably because there was never any iptables rule generated for that pattern and therefore the removal of the statement did not trigger a nftables rules change. It vanishes when there's another change to the cwnp that actually affects the nftables ruleset.
As long as there's a dns cache entry that matches the pattern removing the entry works as expected and does not leave behind a stale state.
I have no idea really why the old status was passed, since the function (re-)writes the status for all currently allowed destinations anyway. Preserving the old status gives you an insight to previously enabled destinations, but I think doing that in this way is more confusing that useful.
There is one edge case where you can still have an outdated state in
fqdn_state
, but I think it is probably not really relevant:When you have a
matchPattern
statement without a matching entry in the DNS cache you get an empty statement like this:When you delete the statement from the rule, that empty entry remains - probably because there was never any iptables rule generated for that pattern and therefore the removal of the statement did not trigger a nftables rules change. It vanishes when there's another change to the cwnp that actually affects the nftables ruleset.
As long as there's a dns cache entry that matches the pattern removing the entry works as expected and does not leave behind a stale state.