When only listing rules, avoid to create the basic ruleset. Initializing the latter is still needed so that a completely empty ruleset does not lead to no output. But with builtin chains being added to cache immediately, there is no need to push the changes to the kernel anymore. Avoid this by calling nft_abort() in the right spots. Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/xtables-arp.c | 1 + iptables/xtables-eb.c | 1 + iptables/xtables.c | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index 2f369d9aadb01..10cc4c9fbc875 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, options&OPT_NUMERIC, /*options&OPT_EXPANDED*/0, options&OPT_LINENUMBERS); + nft_abort(h); break; case CMD_FLUSH: ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE); diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index 16d874120c0bb..a9a6fccb53c6a 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -1288,6 +1288,7 @@ print_zero: /*flags&OPT_EXPANDED*/0, flags&LIST_N, flags&LIST_C); + nft_abort(h); } if (flags & OPT_ZERO) { ret = nft_chain_zero_counters(h, chain, *table, 0); diff --git a/iptables/xtables.c b/iptables/xtables.c index da11e8cc159a0..28223e8edc799 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1139,6 +1139,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, cs.options & OPT_NUMERIC, cs.options & OPT_EXPANDED, cs.options & OPT_LINENUMBERS); + if (p.command == CMD_LIST) + nft_abort(h); if (ret && (p.command & CMD_ZERO)) { ret = nft_chain_zero_counters(h, p.chain, p.table, cs.options & OPT_VERBOSE); @@ -1154,6 +1156,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, case CMD_LIST_RULES|CMD_ZERO_NUM: ret = list_rules(h, p.chain, p.table, p.rulenum, cs.options & OPT_VERBOSE); + if (p.command == CMD_LIST_RULES) + nft_abort(h); if (ret && (p.command & CMD_ZERO)) { ret = nft_chain_zero_counters(h, p.chain, p.table, cs.options & OPT_VERBOSE); -- 2.19.0