[iptables PATCH 1/2] nft: CMD_ZERO needs a rule cache

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In order to zero rule counters, they have to be fetched from kernel. Fix
this for both standalone calls as well as xtables-restore --noflush.

Fixes: b5cb6e631c828 ("nft-cache: Fetch only chains in nft_chain_list_get()")
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft.c             | 2 ++
 iptables/xtables-restore.c | 1 +
 2 files changed, 3 insertions(+)

diff --git a/iptables/nft.c b/iptables/nft.c
index 3c230c121f8b9..83cf5fb703d3e 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2922,6 +2922,8 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
 			return -1;
 	}
 
+	nft_build_cache(h, c);
+
 	iter = nftnl_rule_iter_create(c);
 	if (iter == NULL)
 		return -1;
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 282aa153b1599..2f0fe7d439d94 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -268,6 +268,7 @@ static bool cmd_needs_full_cache(char *cmd)
 	case 'C':
 	case 'S':
 	case 'L':
+	case 'Z':
 		return true;
 	}
 
-- 
2.24.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux