Commit b8b27498 authored Mar 07, 2019 by Florian Westphal Committed by Pablo Neira Ayuso Mar 11, 2019

netfilter: nf_tables: return immediately on empty commit



When running 'nft flush ruleset' while no rules exist, we will increment
the generation counter and announce a new genid to userspace, yet
nothing had changed in the first place.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 3f3a390d

net/netfilter/nf_tables_api.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -6564,6 +6564,11 @@ static int nf_tables_commit(struct net net, struct sk_buff skb)
		struct nft_chain *chain;
		struct nft_table *table;

		if (list_empty(&net->nft.commit_list)) {
		mutex_unlock(&net->nft.commit_mutex);
		return 0;
		}

		/* 0. Validate ruleset, otherwise roll back for error reporting. */
		if (nf_tables_validate(net) < 0)
		return -EAGAIN;