On Thu, Jan 10, 2019 at 01:28:22AM +0100, Pablo Neira Ayuso wrote: > On Sun, Dec 30, 2018 at 08:06:12PM +0100, Phil Sutter wrote: > > diff --git a/iptables/xtables.c b/iptables/xtables.c > > index da11e8cc159a0..28223e8edc799 100644 > > --- a/iptables/xtables.c > > +++ b/iptables/xtables.c > > @@ -1139,6 +1139,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, > > cs.options & OPT_NUMERIC, > > cs.options & OPT_EXPANDED, > > cs.options & OPT_LINENUMBERS); > > + if (p.command == CMD_LIST) > > + nft_abort(h); > > Goal of this patch is to reset the batch of any pending object to be > added before -L call? The goal is to prevent the unconditional commit (e.g. in xtables_main()) from adding builtin tables/chains when listing only. In the past, we had to commit early after creating builtin tables/chains to make them appear in ruleset listing. A problem we faced with multiple times was that 'nft flush ruleset ; iptables-nft -L' did not print anything. Fix was to commit early (commit a4e78370af849) and flush cache so it's refreshed (commit 206033ede9461). Since builtin tables/chains are manually added to cache, the early commit and cache flush is no longer required. But after listing the empty ruleset, the final commit still adds the builtin tables/chains although not required for list command. This patch eliminates those pointless batch jobs. Cheers, Phil
