[iptables PATCH v3 21/21] xtables: Do not change ruleset while listing

Phil Sutter <phil@xxxxxx> · Thu, 20 Dec 2018 16:09:22 +0100

When only listing rules, avoid to create the basic ruleset. Initializing
the latter is still needed so that a completely empty ruleset does not
lead to no output. But with builtin chains being added to cache
immediately, there is no need to push the changes to the kernel anymore.
Avoid this by calling nft_abort() in the right spots.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/xtables-arp.c | 1 +
 iptables/xtables-eb.c  | 1 +
 iptables/xtables.c     | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 2f369d9aadb01..10cc4c9fbc875 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table,
 				   options&OPT_NUMERIC,
 				   /*options&OPT_EXPANDED*/0,
 				   options&OPT_LINENUMBERS);
+		nft_abort(h);
 		break;
 	case CMD_FLUSH:
 		ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE);
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 16d874120c0bb..a9a6fccb53c6a 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -1288,6 +1288,7 @@ print_zero:
 				 /*flags&OPT_EXPANDED*/0,
 				 flags&LIST_N,
 				 flags&LIST_C);
+		nft_abort(h);
 	}
 	if (flags & OPT_ZERO) {
 		ret = nft_chain_zero_counters(h, chain, *table, 0);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 24a6e234bcf4b..e58d9ae2d562f 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1143,6 +1143,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 				   cs.options & OPT_NUMERIC,
 				   cs.options & OPT_EXPANDED,
 				   cs.options & OPT_LINENUMBERS);
+		if (p.command == CMD_LIST)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
@@ -1158,6 +1160,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
 	case CMD_LIST_RULES|CMD_ZERO_NUM:
 		ret = list_rules(h, p.chain, p.table, p.rulenum,
 				 cs.options & OPT_VERBOSE);
+		if (p.command == CMD_LIST_RULES)
+			nft_abort(h);
 		if (ret && (p.command & CMD_ZERO)) {
 			ret = nft_chain_zero_counters(h, p.chain, p.table,
 						      cs.options & OPT_VERBOSE);
-- 
2.19.0







