On Thu, Dec 20, 2018 at 04:09:22PM +0100, Phil Sutter wrote: > When only listing rules, avoid to create the basic ruleset. Initializing > the latter is still needed so that a completely empty ruleset does not > lead to no output. But with builtin chains being added to cache > immediately, there is no need to push the changes to the kernel anymore. > Avoid this by calling nft_abort() in the right spots. > > Signed-off-by: Phil Sutter <[email protected]> > --- > iptables/xtables-arp.c | 1 + > iptables/xtables-eb.c | 1 + > iptables/xtables.c | 4 ++++ > 3 files changed, 6 insertions(+) > > diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c > index 2f369d9aadb01..10cc4c9fbc875 100644 > --- a/iptables/xtables-arp.c > +++ b/iptables/xtables-arp.c > @@ -1366,6 +1366,7 @@ int do_commandarp(struct nft_handle *h, int argc, char > *argv[], char **table, > options&OPT_NUMERIC, > /*options&OPT_EXPANDED*/0, > options&OPT_LINENUMBERS); > + nft_abort(h);
Hm, this call to nft_abort() is confusing. Listing does not require a batch mode. This patch is new in the batch IIRC, will keep this back until we discuss if there is a better fix.
