Phil Sutter <phil@xxxxxx> wrote: > The value in idx and the number of rules handled in that particular > __nf_tables_dump_rules() call is not identical. The former is a cursor > to pick up from if multiple netlink messages are needed, so its value is > ever increasing. Fixing this is not just a matter of subtracting s_idx > from it, though: When resetting rules in multiple chains, > __nf_tables_dump_rules() is called for each and cb->args is not > adjusted in between. Introduce a dedicated counter to record the number > of rules reset in this call in a less confusing way. > > While being at it, prevent the direct return upon buffer exhaustion: Any > rules previously dumped into that skb would evade audit logging > otherwise. Reviewed-by: Florian Westphal <fw@xxxxxxxxx> We can investigate ways to compress/coalesce (read: make this more complicated) in case somebody complains about too many audit messages. But I would not go ahead and keep it simple for now.