On Thu, Dec 27, 2018 at 08:59:09PM +0100, Pablo Neira Ayuso wrote: > On Thu, Dec 20, 2018 at 04:09:22PM +0100, Phil Sutter wrote: > > When only listing rules, avoid to create the basic ruleset. Initializing > > the latter is still needed so that a completely empty ruleset does not > > lead to no output. But with builtin chains being added to cache > > immediately, there is no need to push the changes to the kernel anymore. > > Avoid this by calling nft_abort() in the right spots. > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > --- > > iptables/xtables-arp.c | 1 + > > iptables/xtables-eb.c | 1 + > > iptables/xtables.c | 4 ++++ > > 3 files changed, 6 insertions(+) > > > > diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c > > index 2f369d9aadb01..10cc4c9fbc875 100644 > > --- a/iptables/xtables-arp.c > > +++ b/iptables/xtables-arp.c > > @@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, > > options&OPT_NUMERIC, > > /*options&OPT_EXPANDED*/0, > > options&OPT_LINENUMBERS); > > + nft_abort(h); > > Hm, this call to nft_abort() is confusing. Listing does not require a > batch mode. The problem I'm trying to ship around is that we unconditionally create the compat ruleset if not present yet. And in order to list the empty chains if user calls e.g. 'iptables -L' with a completely empty ruleset, we need to add the compat ruleset at least to the internal cache. But this also creates the batch jobs which are not required when merely listing the ruleset. The alternative to just removing the batch jobs via nft_abort() before the obligatory call to nft_commit() would be to distinguish between ruleset listing and other tasks in nft_xt_builtin_init(). For the sake of simplicity, I didn't choose that option. > This patch is new in the batch IIRC, will keep this back until we > discuss if there is a better fix. Yes, it is a follow-up made possible by the no longer required early commit the rule insert position fix allowed for. The larger goal behind this is to reduce (needless) impact of various commands on the ruleset, in this case the creation of tables/chains in list commands. At some point I would like to have iptables-nft create only those parts of compat ruleset which are required for the command at hand. E.g.: | # iptables-nft -A INPUT -j ACCEPT Should not create any chains other than 'ip filter INPUT'. This came from a complaint that 'iptables-nft -F' creates things where it should instead remove them. With legacy iptables, users could call 'iptables -F; iptables -X' and then unload netfilter kernel modules. With iptables-nft, this is not possible. Cheers, Phil
