Reverse IP address lookups may take a long time, something that's not
expected from {ip,ip6,eb,arp}tables-save. Moreover, due to lack of an
appropriate commandline option, it is not even avoidable for users.
Setting FMT_NUMERIC by default comes with a drawback, though: Things
which may be represented by human-readable name without introducing any
significant delay (such as e.g. opcode in arptables output) will be
printed by numeric value as well. Sadly, trying to fix this by
introducing a FMT_NORESOLVE bit turns things into a mess since e.g.
'print' callback of struct xtables_match receives only the numeric flag
via parameter, not a full format variable.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/xtables-save.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index fc51fcfeb5815..a65bd2442c9d1 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -46,6 +46,7 @@ static const struct option options[] = {
static int
__do_output(struct nft_handle *h, const char *tablename, bool counters)
{
+ unsigned int format = FMT_NUMERIC | (counters ? 0 : FMT_NOCOUNTS);
struct nftnl_chain_list *chain_list;
@@ -70,7 +71,7 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters)
/* Dump out chain names first,
* thereby preventing dependency conflicts */
nft_chain_save(h, chain_list, tablename);
- nft_rule_save(h, tablename, counters ? 0 : FMT_NOCOUNTS);
+ nft_rule_save(h, tablename, format);
now = time(NULL);
printf("COMMIT\n");
@@ -223,6 +224,8 @@ int xtables_ip6_save_main(int argc, char *argv[])
static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters)
{
+ unsigned int format = FMT_EBT_SAVE | FMT_NUMERIC |
+ (counters ? 0 : FMT_NOCOUNTS);
struct nftnl_chain_list *chain_list;
static bool first = true;
time_t now;
@@ -250,8 +253,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters
/* Dump out chain names first,
* thereby preventing dependency conflicts */
nft_chain_save(h, chain_list, tablename);
- nft_rule_save(h, tablename,
- FMT_EBT_SAVE | (counters ? 0 : FMT_NOCOUNTS));
+ nft_rule_save(h, tablename, format);
printf("\n");
return 0;
}
@@ -322,7 +324,7 @@ int xtables_arp_save_main(int argc, char **argv)
printf("*filter\n");
nft_chain_save(&h, nft_chain_dump(&h), "filter");
- nft_rule_save(&h, "filter", FMT_NOCOUNTS);
+ nft_rule_save(&h, "filter", FMT_NOCOUNTS | FMT_NUMERIC);
printf("\n");
return 0;
}
--
2.18.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
