From patchwork Thu Dec 13 11:16:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1012783 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43Frj43Vpmz9s4s for ; Thu, 13 Dec 2018 22:16:24 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728364AbeLMLQY (ORCPT ); Thu, 13 Dec 2018 06:16:24 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:58052 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727544AbeLMLQY (ORCPT ); Thu, 13 Dec 2018 06:16:24 -0500 Received: from localhost ([::1]:42910 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1gXOyc-00075w-W1; Thu, 13 Dec 2018 12:16:23 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org Subject: [iptables PATCH v2 14/14] xtables: Do not change ruleset while listing Date: Thu, 13 Dec 2018 12:16:07 +0100 Message-Id: <20181213111607.5457-15-phil@nwl.cc> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181213111607.5457-1-phil@nwl.cc> References: <20181213111607.5457-1-phil@nwl.cc> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When only listing rules, avoid to create the basic ruleset. Initializing the latter is still needed so that a completely empty ruleset does not lead to no output. But with builtin chains being added to cache immediately, there is no need to push the changes to the kernel anymore. Avoid this by calling nft_abort() in the right spots. Signed-off-by: Phil Sutter --- iptables/xtables-arp.c | 1 + iptables/xtables-eb.c | 1 + iptables/xtables.c | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index 2f369d9aadb01..10cc4c9fbc875 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char *argv[], char **table, options&OPT_NUMERIC, /*options&OPT_EXPANDED*/0, options&OPT_LINENUMBERS); + nft_abort(h); break; case CMD_FLUSH: ret = nft_rule_flush(h, chain, *table, options & OPT_VERBOSE); diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index efc1f16ac6364..51730ed8f0d94 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -1289,6 +1289,7 @@ print_zero: /*flags&OPT_EXPANDED*/0, flags&LIST_N, flags&LIST_C); + nft_abort(h); } if (flags & OPT_ZERO) { ret = nft_chain_zero_counters(h, chain, *table, 0); diff --git a/iptables/xtables.c b/iptables/xtables.c index 24a6e234bcf4b..e58d9ae2d562f 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1143,6 +1143,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, cs.options & OPT_NUMERIC, cs.options & OPT_EXPANDED, cs.options & OPT_LINENUMBERS); + if (p.command == CMD_LIST) + nft_abort(h); if (ret && (p.command & CMD_ZERO)) { ret = nft_chain_zero_counters(h, p.chain, p.table, cs.options & OPT_VERBOSE); @@ -1158,6 +1160,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, case CMD_LIST_RULES|CMD_ZERO_NUM: ret = list_rules(h, p.chain, p.table, p.rulenum, cs.options & OPT_VERBOSE); + if (p.command == CMD_LIST_RULES) + nft_abort(h); if (ret && (p.command & CMD_ZERO)) { ret = nft_chain_zero_counters(h, p.chain, p.table, cs.options & OPT_VERBOSE);