nft: don't print rule counters unless verbose

Currently rule counters are always printed, but that's not the desired
behavior. We should only print them with the verbose flag. This broke
when the arguments of nft_rule_print_save() were changed to accept the
format instead of a counters flag.

Fixes: cdc78b1d6bd7 ("nft: convert rule into a command state structure")
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Florian Westphal <fw@strlen.de>

2 files changed, 31 insertions, 1 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index 347a4438..a9cb92ed 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2270,7 +2270,7 @@ err:
 static void
 list_save(struct nftnl_rule *r, unsigned int num, unsigned int format)
 {
-	nft_rule_print_save(r, NFT_RULE_APPEND, !(format & FMT_NOCOUNTS));
+	nft_rule_print_save(r, NFT_RULE_APPEND, format);
 }
 
 static int
diff --git a/iptables/tests/shell/testcases/ipt-save/0005iptables_0 b/iptables/tests/shell/testcases/ipt-save/0005iptables_0
new file mode 100755
index 00000000..d5eb76a7
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0005iptables_0
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp)
+tmpfile2=$(mktemp)
+
+clean_tmpfile()
+{
+	rm -f "$tmpfile1" "$tmpfile2"
+}
+
+trap clean_tmpfile EXIT
+
+
+cat > $tmpfile1<<EOF
+-P INPUT ACCEPT
+-P FORWARD ACCEPT
+-P OUTPUT ACCEPT
+-N FOO
+-A FOO -j DROP
+EOF
+
+$XT_MULTI iptables -N FOO
+$XT_MULTI iptables -A FOO -j DROP
+$XT_MULTI iptables -S > $tmpfile2
+
+diff -u $tmpfile1 $tmpfile2
+
+rm -f $tmpfile1 $tmpfile2