| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables nft to match against TCP options.
Currently these TCP options are supported:
* End of Option List (eol)
* No-Operation (noop)
* Maximum Segment Size (maxseg)
* Window Scale (window)
* SACK Permitted (sack_permitted)
* SACK (sack)
* Timestamps (timestamp)
Syntax: tcp options $option_name [$offset] $field_name
Example:
# count all incoming packets with a specific maximum segment size `x`
# nft add rule filter input tcp option maxseg size x counter
# count all incoming packets with a SACK TCP option where the third
# (counted from zero) left field is greater `x`.
# nft add rule filter input tcp option sack 2 left \> x counter
If the offset (the `2` in the example above) is zero, it can optionally
be omitted.
For all non-SACK TCP options it is always zero, thus can be left out.
Option names and field names are parsed from templates, similar to meta
and ct options rather than via keywords to prevent adding more keywords
than necessary.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
| |
currently exthdr always needs ipv6 dependency (i.e. link layer), but
with upcomming TCP option matching we also need to include TCP at the
network layer.
This patch prepares this change by adding two parameters to
exthdr_gen_dependency.
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
| |
right now exthdr only deals with ipv6 extension headers, followup
patch will enable tcp option matching.
This adds the 'op' arg to exthdr_init.
Signed-off-by: Manuel Messner <mm@skelett.io>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
get_rate() is used to print quotas and limits and currently rounds the
number of bytes:
$ nft add quota filter https-quota 4000 kbytes
$ nft list ruleset
table ip filter {
quota https-quota {
3 mbytes
}
}
This may be a problem when loading your configuration after saving it
with 'list ruleset'. With this patch the values are represented in a
greater unit only when there is no rest in the conversion:
$ nft add quota filter https-quota2 2048 kbytes
$ nft list ruleset
table ip filter {
quota https-quota {
4000 kbytes
}
quota https-quota2 {
2 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nftables uses a internal service table to print service names. This
table should be used when parsing new rules, to avoid conflicts between
nft service table and the local /etc/services, when loading an exported
ruleset.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1118
Fixes: ccc5da4 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
the change causes non-ipv6 addresses to not be printed at all in case
a nfproto was given.
Also add a test case to catch this.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1117
Fixes: 5ab0e10fc6e2c22363a ("src: support for RFC2732 IPv6 address format with brackets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Because the rules are more legible this way. Also, the parser doesn't
accept strings on ranges, so, printing ranges numerically better match
the rules definition.
Fixes(Bug 1046 - mobility header with range gives illegible rule).
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
The number of numeric options influences the behavior and the user
should be warned if a invalid number is used.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
| |
Signed-off-by: Manuel Messner <mm@skelett.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, stateful objects can be listed by: listing all objects in
all tables; listing a single object in a table. Now it's allowed to
list all objects in a table.
$ nft list counters table filter
table ip filter {
counter https-traffic {
packets 14825 bytes 950063
}
counter http-traffic {
packets 117 bytes 9340
}
}
$ nft list quotas table filter
table ip filter {
quota https-quota {
25 mbytes used 2 mbytes
}
quota http-quota {
25 mbytes used 10 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Reseting stateful objects in a single table is already implemented and
cmd_evaluate_reset() now tests for the table name.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the stateful objects can only be listed in groups. With this
patch listing a single object is allowed:
$ nft list counter filter https-traffic
table ip filter {
counter https-traffic {
packets 4014 bytes 228948
}
}
$ nft list quota filter https-quota
table ip filter {
quota https-quota {
25 mbytes used 278 kbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the stateful objects can only be reseted in groups. With this
patch reseting a single object is allowed:
$ nft reset counter filter https-traffic
table ip filter {
counter https-traffic {
packets 8774 bytes 542668
}
}
$ nft list counter filter https-traffic
table ip filter {
counter https-traffic {
packets 0 bytes 0
}
}
Heavily based on work from Pablo Neira Ayuso <pablo@netfilter.org>.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the inet, bridge and netdev families, we can add rules like these:
% nft add rule inet t c ip protocol icmp icmp type echo-request
% nft add rule inet t c ip6 nexthdr icmpv6 icmpv6 type echo-request
However, when we print the ruleset:
% nft list ruleset
table inet t {
chain c {
icmpv6 type echo-request
icmp type echo-request
}
}
These rules we obtain can't be added again:
% nft add rule inet t c icmp type echo-request
<cmdline>:1:19-27: Error: conflicting protocols specified: inet-service vs. icmp
add rule inet t c icmp type echo-request
^^^^^^^^^
% nft add rule inet t c icmpv6 type echo-request
<cmdline>:1:19-29: Error: conflicting protocols specified: inet-service vs. icmpv6
add rule inet t c icmpv6 type echo-request
^^^^^^^^^^^
Since I wouldn't expect an IP packet carrying ICMPv6, or IPv6 packet
carrying ICMP, if the link layer is inet, the network layer protocol context
can be safely update to 'ip' or 'ip6'.
Moreover, nft currently generates a 'meta nfproto ipvX' depedency when
using icmp or icmp6 in the inet family, and similar in netdev and bridge
families.
While at it, a bit of code factorization is introduced.
Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1073
Signed-off-by: Arturo Borrero Gonzalez <arturo@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
Catch -1 case, so we have a chance to handle EINTR.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch removes the existing error messages on netlink dump errors.
These functions used to be called from list commands. These days they
are called from the cache cache population path.
Note that nft breaks with older kernels at netlink_list_objs() since we
have no stateful objects support there.
Silence errors at this stage and return an empty list, thus, nft bails
out on explicit user commands if no nf_tables support is available.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Always print flow statement as stateless expressions, given that this
just defines the flow table statement instance that is allocated per
entry.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo reported that ipv6 tests would fail on some systems:
WARNING: 'add rule --debug=netlink ip6 test-ip6 input ip6 flowlabel set 0':
'[ bitwise reg 1 = (reg=1 & 0x000000f0 ) ^ 0x00000000 ]' mismatches
'[ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]'
^ should be 'f'
Problem is that mpz_export_data expects the size of the output
buffer in bytes, but this gave bit-based size.
Then, when mpz_export_data clears the output buffer it will
also clear 8 extra bytes on stack; depending on compiler version (stack
layout) this will then clear the bitmask value that we want to export.
Fixes: 78936d50f306c ("evaluate: add support to set IPv6 non-byte header fields")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Tested-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only counter and quota have stateful information.
For named counters, packets and bytes are displayed as 0.
Standard list ruleset:
table ip filter {
counter https {
packets 161942 bytes 10253353
}
chain output {
type filter hook output priority 0; policy accept;
counter name tcp dport map { https : "https"}
tcp dport https counter packets 171211 bytes 10869045
tcp dport https quota 25 mbytes used 10 mbytes
}
}
With stateless option, -s:
table ip filter {
counter https {
packets 0 bytes 0
}
chain output {
type filter hook output priority 0; policy accept;
counter name tcp dport map { https : "https"}
tcp dport https counter
tcp dport https quota 25 mbytes
}
}
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to connbytes extension in iptables, now you can use it to match
average bytes per packet a connection has transferred so far.
For example, match avgpkt in "BOTH" diretion:
# nft add rule x y ct avgpkt \> 100
Match avgpkt in reply direction:
# nft add rule x y ct reply avgpkt \< 900
Or match avgpkt in original direction:
# nft add rule x y ct original avgpkt \> 200
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Due to a missing backslash in the AM_CFLAGS list some warning flags do
not get added to the generated default CLFAGS. Add the missing backslash
to include them as well.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So users can better track their ruleset via git.
Without sorting, the elements can be listed in a different order
every time the set is created, generating unnecessary git changes.
Mergesort is used. Doesn't sort sets with 'flags interval' set on.
Pablo appends to this changelog description:
Currently these interval set elements are dumped in order. We'll likely
get new representations soon that may not guarantee this anymore, so
let's revisit this later in case we need it.
Without this patch, nft list ruleset with a set containing 40000
elements takes on my laptop:
real 0m2.742s
user 0m0.112s
sys 0m0.280s
With this patch:
real 0m2.846s
user 0m0.180s
sys 0m0.284s
Difference is small, so don't get nft more complicated with yet another
getopt() option, enable this by default.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
Instead of nftnl_.*_nlmsg_build_hdr() since they rely on this generic
function. This also helps us clean up source code indentation around
this function call.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
removed in c992153402c78d91e8be ("ct: allow resolving ct keys at run time").
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This is %lu with uint64_t again.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1109
Signed-off-by: Duncan Roe <duncan_roe@acslink.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
| |
clang emits a warning in this function as we're using a boolean as the third
argument to strncmp. Indeed, this function only checks the first byte of the
path as is, so files beginning with . will be incorrectly included from the
current working directory instead of the include directory.
Fixes: f92a1a5c4a87 ("scanner: honor absolute and relative paths via include file")
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch extends the event monitoring infrastructure to catch events
of addition and removal of stateful objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can create these maps using explicit map declarations:
# nft add table filter
# nft add chain filter input { type filter hook input priority 0\; }
# nft add map filter badguys { type ipv4_addr : counter \; }
# nft add rule filter input counter name ip saddr map @badguys
# nft add counter filter badguy1
# nft add counter filter badguy2
# nft add element filter badguys { 192.168.2.3 : "badguy1" }
# nft add element filter badguys { 192.168.2.4 : "badguy2" }
Or through implicit map definitions:
table ip filter {
counter http-traffic {
packets 8 bytes 672
}
chain input {
type filter hook input priority 0; policy accept;
counter name tcp dport map { 80 : "http-traffic", 443 : "http-traffic"}
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds a new objref statement to refer to existing stateful
objects from rules, eg.
# nft add rule filter input counter name test counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Stateful objects have introduced a RESET token in the parser. This breaks the
use of RESET from the rhs, to fix this:
1) I added a new rule to catch this case, thus, dccp doesn't break.
2) Update reject_opts so reject with tcp reset still works.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to atomically dump and reset stateful objects, eg.
# nft list counters
table ip filter {
counter test {
packets 1024 bytes 100000
}
}
# nft reset quotas table filter
counter test {
packets 1024 bytes 100000
}
# nft reset quotas table filter
counter test {
packets 0 bytes 0
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to add and to delete objects, eg.
# nft add quota filter test 1234567 bytes
# nft list quotas
table ip filter {
quota test {
1234567 bytes
}
}
# nft delete quota filter test
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows you to dump existing stateful objects, eg.
# nft list ruleset
table ip filter {
counter test {
packets 64 bytes 1268
}
quota test {
over 1 mbytes used 1268 bytes
}
chain input {
type filter hook input priority 0; policy accept;
quota name test drop
counter name test
}
}
# nft list quotas
table ip filter {
quota test {
over 1 mbytes used 1268 bytes
}
}
# nft list counters
table ip filter {
counter test {
packets 64 bytes 1268
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
table ip x {
chain y {
type filter hook forward priority 0; policy accept;
quota over 200 mbytes used 1143 kbytes drop
}
}
This patch allows us to list and to restore used quota.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
They map exactly one to one to we have in the kernel headers, so use
kernel definitions instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
Huge sets may cause stack to be exhausted.
So, put allocate memory for arrays in
interval_map_decompose() function on heap.
Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
|
|
| |
This will be used for allocating memory for arrays
in heap instead of keeping them on stack.
Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
|
|
|
| |
Do not use obsolete definitions in libnftnl.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 8bd99f2fca7e ("mnl: don't send empty set elements netlink message
to kernel") broke set flush because we still need to send the netlink
message with no elements to flush sets.
To avoid more whack-a-mole games, add a new explicit function
mnl_nft_setelem_batch_flush() that is used to request a set flush,
instead of reusing the one that allows us to explicitly delete given set
elements.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
so the user know how we express it.
The base was added to all symbol tables, which are associated with
datatype->sym_tbl, so they are displayed in the right base.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
In IPv6 there is no checksum field. We always have to trigger layer 4
checksum mangling if any of the layer 3 pseudoheader fields are updated.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following command:
# nft --debug=mnl add rule x y flow table xyz { ip saddr timeout 30s counter }
breaks with EINVAL. The following netlink message is causing the
problem:
...
---------------- ------------------
| 0000000044 | | message length |
| 02572 | R--- | | type | flags |
| 0000000004 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 02 00 00 00 | | extra header |
|00008|--|00002| |len |flags| type|
| 78 79 7a 00 | | data | x y z
|00008|--|00004| |len |flags| type|
| 00 00 00 01 | | data |
|00006|--|00001| |len |flags| type|
| 78 00 00 00 | | data | x
---------------- ------------------
...
This is incorrect since this describes no elements at all, so it is
useless. Add upfront check before iterating over the list of set
elements so the netlink message is not placed in the batch.
This patch also adds a set so flow tables are minimally covered.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So adding the same element doesn't trigger any error:
# nft add element filter bogons { 3.3.3.123/24 }
# nft add element filter bogons { 3.3.3.123/24 }
Still kernel reports an error if we use create instead:
# nft create element filter bogons { 3.3.3.123/24 }
<cmdline>:1:1-46: Error: Could not process rule: File exists
create element filter bogons { 3.3.3.123/24 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
interval_map_decompose() sets expr->len to zero. This causes problems
from expr_to_intervals() that calls range_expr_value_high() and
calculates:
expr->len - expr->prefix_len
this operation underflows, then mpz_init_bitmask() allocates a huge
bitmask.
Use expr_value(i)->len given that we already use this to calculate the
prefix length.
Reported-by: Richard Mörbitz <richard.moerbitz@tu-dresden.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
because the convention is to represent ports in base 10.
gcc-workaround is no longer needed and was removed.
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
nft describe displays, to the user, which values are available for a selector,
then the values should be in host byte order.
Variable size was replaced by len to better match the common pattern.
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Fixes: ccc5da470e76 ("datatype: Replace getnameinfo() by internal lookup table")
Signed-off-by: Elise Lennion <elise.lennion@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
You can use this new command to remove all existing elements in a set:
# nft flush set filter xyz
After this command, the set 'xyz' in table 'filter' becomes empty.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch sets the NFT_PAYLOAD_L4CSUM_PSEUDOHDR when any of the
pseudoheader fields are modified. This implicitly enables stateless NAT,
that can be useful under some circuntances.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
Instead of returning ctx->cmd->table. Note that ctx->cmd->table and
ctx->table points to the same object when all commands are embedded into
the table definition. But this is not true if we mix table definitions
with linear list commands in one file that we load via nft -f.
Reported-by: Martin Bednar <martin@serafean.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After a flush, the cache should be empty, otherwise the cache and the expected
state are desynced, causing unwarranted errors. See
tests/shell/testcases/cache/0002_interval_0.
`flush table` and `flush chain` don't empty sets or destroy chains, so the cache
does not need an update in those cases, since only chain names and set contents
are held in cache for commands other than "list"
Reported-by: Leon Merten Lohse <leon@green-side.de>
Signed-off-by: Anatole Denis <anatole@rezel.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|