[iptables PATCH 14/14] xtables: Do not change ruleset while listing

Phil Sutter <phil@xxxxxx> · Tue, 11 Dec 2018 11:50:42 +0100

When only listing rules, avoid to create the basic ruleset. Initializing
the latter is still needed so that a completely empty ruleset does not
lead to no output. But with builtin chains being added to cache
immediately, there is no need to push the changes to the kernel anymore.
Avoid this by calling nft_abort() in the right spots.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/xtables-arp.c | 1 +
 iptables/xtables-eb.c  | 1 +
 iptables/xtables.c     | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 2f369d9aadb01..10cc4c9fbc875 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
 				   options&OPT_NUMERIC,
 				   /*options&OPT_EXPANDED*/0,
 				   options&OPT_LINENUMBERS);
+		nft_abort(h);
 		break;
 	case CMD_FLUSH:
 		ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE);
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index efc1f16ac6364..51730ed8f0d94 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -1289,6 +1289,7 @@ print_zero:
 				 /*flags&OPT_EXPANDED*/0,
 				 flags&LIST_N,
 				 flags&LIST_C);
+		nft_abort(h);
 	}
 	if (flags & OPT_ZERO) {
 		ret = nft_chain_zero_counters(h, chain, *table, 0);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 24a6e234bcf4b..e58d9ae2d562f 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1143,6 +1143,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 				   cs.options & OPT_NUMERIC,
 				   cs.options & OPT_EXPANDED,
 				   cs.options & OPT_LINENUMBERS);
+		if (p.command == CMD_LIST)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
@@ -1158,6 +1160,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 	case CMD_LIST_RULES|CMD_ZERO_NUM:
 		ret = list_rules(h, p.chain, p.table, p.rulenum,
 				 cs.options & OPT_VERBOSE);
+		if (p.command == CMD_LIST_RULES)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
-- 
2.19.0







