Reverse IP address lookups may take a long time, something that's not
expected from {ip,ip6,eb,arp}tables-save. Moreover, due to lack of an
appropriate commandline option, it is not even avoidable for users.Setting FMT_NUMERIC by default comes with a drawback, though: Things which may be represented by human-readable name without introducing any significant delay (such as e.g. opcode in arptables output) will be printed by numeric value as well. Sadly, trying to fix this by introducing a FMT_NORESOLVE bit turns things into a mess since e.g. 'print' callback of struct xtables_match receives only the numeric flag via parameter, not a full format variable. Signed-off-by: Phil Sutter <[email protected]> --- iptables/xtables-save.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index fc51fcfeb5815..a65bd2442c9d1 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -46,6 +46,7 @@ static const struct option options[] = { static int __do_output(struct nft_handle *h, const char *tablename, bool counters) { + unsigned int format = FMT_NUMERIC | (counters ? 0 : FMT_NOCOUNTS); struct nftnl_chain_list *chain_list; @@ -70,7 +71,7 @@ __do_output(struct nft_handle *h, const char *tablename, bool counters) /* Dump out chain names first, * thereby preventing dependency conflicts */ nft_chain_save(h, chain_list, tablename); - nft_rule_save(h, tablename, counters ? 0 : FMT_NOCOUNTS); + nft_rule_save(h, tablename, format); now = time(NULL); printf("COMMIT\n"); @@ -223,6 +224,8 @@ int xtables_ip6_save_main(int argc, char *argv[]) static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters) { + unsigned int format = FMT_EBT_SAVE | FMT_NUMERIC | + (counters ? 0 : FMT_NOCOUNTS); struct nftnl_chain_list *chain_list; static bool first = true; time_t now; @@ -250,8 +253,7 @@ static int __ebt_save(struct nft_handle *h, const char *tablename, bool counters /* Dump out chain names first, * thereby preventing dependency conflicts */ nft_chain_save(h, chain_list, tablename); - nft_rule_save(h, tablename, - FMT_EBT_SAVE | (counters ? 0 : FMT_NOCOUNTS)); + nft_rule_save(h, tablename, format); printf("\n"); return 0; } @@ -322,7 +324,7 @@ int xtables_arp_save_main(int argc, char **argv) printf("*filter\n"); nft_chain_save(&h, nft_chain_dump(&h), "filter"); - nft_rule_save(&h, "filter", FMT_NOCOUNTS); + nft_rule_save(&h, "filter", FMT_NOCOUNTS | FMT_NUMERIC); printf("\n"); return 0; } -- 2.18.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
