diff options
author | Phil Sutter <phil@nwl.cc> | 2023-08-10 11:30:59 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-08-10 14:14:25 +0200 |
commit | 39a067bb3b1b4ffb50a925f66e7db56658c0dfa7 (patch) | |
tree | 528bfdcafa0d92ad0ce601a0018aa94c6f078fee /iptables | |
parent | 5412ccba55b2318160d32efec3b8aad162608af9 (diff) |
nft: Create builtin chains with counters enabled
The kernel enables policy counters for nftables chains only if
NFTA_CHAIN_COUNTERS attribute is present. For this to be generated, one
has to set NFTNL_CHAIN_PACKETS and NFTNL_CHAIN_BYTES attributes in the
allocated nftnl_chain object.
The above happened for base chains only with iptables-nft-restore if
called with --counters flag. Since this is very unintuitive to users,
fix the situation by adding counters to base chains in any case.
Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 326dc20b..97fd4f49 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -701,6 +701,9 @@ nft_chain_builtin_alloc(int family, const char *tname, nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0); + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0); + return c; } @@ -961,6 +964,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, int policy, const struct xt_counters *counters) { + static const struct xt_counters zero = {}; struct nftnl_chain *c; const struct builtin_table *_t; const struct builtin_chain *_c; @@ -985,12 +989,10 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h, return NULL; } - if (counters) { - nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, - counters->bcnt); - nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, - counters->pcnt); - } + if (!counters) + counters = &zero; + nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, counters->bcnt); + nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, counters->pcnt); return c; } |