[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    [iptables PATCH v4 5/5] xtables: Do not change ruleset while listing
From:       Phil Sutter <phil () nwl ! cc>
Date:       2018-12-30 19:06:12
Message-ID: 20181230190612.29413-6-phil () nwl ! cc
[Download RAW message or body]

When only listing rules, avoid to create the basic ruleset. Initializing
the latter is still needed so that a completely empty ruleset does not
lead to no output. But with builtin chains being added to cache
immediately, there is no need to push the changes to the kernel anymore.
Avoid this by calling nft_abort() in the right spots.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-arp.c | 1 +
 iptables/xtables-eb.c  | 1 +
 iptables/xtables.c     | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 2f369d9aadb01..10cc4c9fbc875 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
 				   options&OPT_NUMERIC,
 				   /*options&OPT_EXPANDED*/0,
 				   options&OPT_LINENUMBERS);
+		nft_abort(h);
 		break;
 	case CMD_FLUSH:
 		ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE);
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 16d874120c0bb..a9a6fccb53c6a 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -1288,6 +1288,7 @@ print_zero:
 				 /*flags&OPT_EXPANDED*/0,
 				 flags&LIST_N,
 				 flags&LIST_C);
+		nft_abort(h);
 	}
 	if (flags & OPT_ZERO) {
 		ret = nft_chain_zero_counters(h, chain, *table, 0);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index da11e8cc159a0..28223e8edc799 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1139,6 +1139,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 				   cs.options & OPT_NUMERIC,
 				   cs.options & OPT_EXPANDED,
 				   cs.options & OPT_LINENUMBERS);
+		if (p.command == CMD_LIST)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
@@ -1154,6 +1156,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 	case CMD_LIST_RULES|CMD_ZERO_NUM:
 		ret = list_rules(h, p.chain, p.table, p.rulenum,
 				 cs.options & OPT_VERBOSE);
+		if (p.command == CMD_LIST_RULES)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
-- 
2.19.0

[prev in list] [next in list] [prev in thread] [next in thread]