summaryrefslogtreecommitdiffstats
path: root/iptables
Commit message (Collapse)AuthorAgeFilesLines
* xtables-restore: remove dependency with libip4tcPablo Neira Ayuso2014-02-041-1/+5
| | | | | | | Add a new operation structure, we don't actually need the libip4tc definition. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Use new libnftnl library name against former libnftablesTomasz Bursztyka2014-01-208-18/+18
| | | | | | | Adapt the current code to use the new library name libnftnl. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix inconsistent data type in NFT_EXPR_CMP_OP and NFT_EXPR_META_KEYPablo Neira Ayuso2014-01-102-9/+9
| | | | | | | We have to use uint32_t instead uint8_t to adapt this to the libnftables changes. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong function to release iteratorPablo Neira Ayuso2013-12-301-1/+1
| | | | | | | | | | | | | nft.c: In function ‘nft_xtables_config_load’: nft.c:2522:3: warning: passing argument 1 of ‘nft_table_list_iter_destroy’ from incompatible pointer type [enabled by default] In file included from nft.c:41:0: /usr/include/libnftables/table.h:64:6: note: expected ‘struct nft_table_list_iter *’ but argument is of type ‘struct nft_chain_list_iter *’ Introduced in (12eb85b nft: fix memory leaks in nft_xtables_config_load) but that was my fault indeed since Ana sent a v2 patch that I have overlook. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: nft: fix memory leaks in nft_finiAna Rey2013-12-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==12554== 40 bytes in 1 blocks are still reachable in loss record 1 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x574D755: mnl_nlmsg_batch_start (nlmsg.c:447) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) ==12554== 135,168 bytes in 1 blocks are still reachable in loss record 9 of 10 ==12554== at 0x4C2935B: malloc (vg_replace_malloc.c:270) ==12554== by 0x415A24: mnl_nft_batch_alloc (nft.c:102) ==12554== by 0x416520: nft_action (nft.c:2281) ==12554== by 0x41355E: xtables_main (xtables-standalone.c:75) ==12554== by 0x5B87994: (below main) (libc-start.c:260) These objects are allocated from nft_init but they were not released appropriately in the exit path. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix memory leaks in nft_xtables_config_loadAna Rey2013-12-301-10/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those errors are shown with the valgrind tool: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 2 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5955B02: nft_table_list_alloc (table.c:425) ==7377== by 0x4186EB: nft_xtables_config_load (nft.c:2427) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) ==7377== ==7377== 16 bytes in 1 blocks are definitely lost in loss record 3 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x5956A32: nft_chain_list_alloc (chain.c:888) ==7377== by 0x4186F3: nft_xtables_config_load (nft.c:2428) ==7377== by 0x4189E6: nft_rule_append (nft.c:991) ==7377== by 0x413A7D: add_entry.isra.6 (xtables.c:424) ==7377== by 0x41524A: do_commandx (xtables.c:1176) ==7377== by 0x4134DC: xtables_main (xtables-standalone.c:72) ==7377== by 0x5B87994: (below main) (libc-start.c:260) Fix these leaks and consolidate error handling in the exit path of nft_xtables_config_load Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-standalone: call nft_fini in the error pathAna Rey2013-12-301-0/+3
| | | | | | | | | | | | | | | | | | | This error is shown with valgrind tools: valgrind --leak-check=full xtables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT ==7377== 16 bytes in 1 blocks are still reachable in loss record 1 of 14 ==7377== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==7377== by 0x574CC76: mnl_socket_open (socket.c:117) ==7377== by 0x417495: nft_init (nft.c:598) ==7377== by 0x4134C2: xtables_main (xtables-standalone.c:64) ==7377== by 0x5B87994: (below main) (libc-start.c:260) This patch calls nft_fini to release the objects that have been allocated in nft_init. This function was not used so far. Signed-off-by: Ana Rey <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix out of bound memory copyPablo Neira Ayuso2013-12-301-9/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Valgrind reports an invalid read after a memory block: ==11114== Invalid read of size 8 ==11114== at 0x4C2DB02: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:877) ==11114== by 0x41788E: add_match (nft.c:781) ==11114== by 0x41B54C: nft_ipv4_add (nft-ipv4.c:72) ==11114== by 0x415DF2: nft_rule_new.isra.2 (nft.c:945) ==11114== by 0x418ACE: nft_rule_append (nft.c:1000) ==11114== by 0x413A92: add_entry.isra.6 (xtables.c:424) ==11114== by 0x4152DE: do_commandx (xtables.c:1184) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) ==11114== Address 0x61399e8 is 8 bytes after a block of size 48 alloc'd ==11114== at 0x4C2B514: calloc (vg_replace_malloc.c:593) ==11114== by 0x52448C8: xtables_calloc (xtables.c:272) ==11114== by 0x410AC2: command_default (xshared.c:150) ==11114== by 0x4149A2: do_commandx (xtables.c:1075) ==11114== by 0x4134E8: xtables_main (xtables-standalone.c:72) ==11114== by 0x5B87994: (below main) (libc-start.c:260) m->u.match_size also contains the size of the xt_entry_match structure. Fix also the target path which is very similar. Reported-by: Ana Rey Botello <anarey@gmail.com> Tested-by: Ana Rey Botello <anarey@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix inversion of built-in selectorsPablo Neira Ayuso2013-12-302-0/+8
| | | | | | | | | | (0ab045f xtables: fix missing ipt_entry for MASQUERADE target) broke inversion of built-in selectors, such as -s, -d, etc. We need to refresh the invflags if -p is used or set it for first time if -p is not used, otherwise inversion is ignored. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables-events: fix compilation due change in libnftablesPablo Neira Ayuso2013-12-301-2/+2
| | | | | | | | The patch (989b793 src: unify parse and output types) changed the table and chain type definitions, adapt this code to use the new ones. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: inhibit -l option so only a fixed 6 bytes length arhln can be usedTomasz Bursztyka2013-12-301-0/+7
| | | | | | | | | | | This is a temporary workaround mechanism until variable interface hardware address length can be handled through nftables. This defaults on the length of EUI-64 mac address, which should be the most common usage until this is appropriately fixed for all type of layer 2 addresses. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: Fix a compilation warningTomasz Bursztyka2013-12-301-4/+4
| | | | | | | | | | This fixes such warning: xtables-arp.c: In function ‘check_inverse’: xtables-arp.c:561:54: attention : declaration of ‘optind’ shadows a global declaration [-Wshadow] Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: arp: fix possible string overflowGiuseppe Longo2013-12-302-3/+6
| | | | | | | | | | | | | | This patch replaces strcat with strncat and strcpy with strncpy fixing possible string overflow. Based on the original patch: http://patchwork.ozlabs.org/patch/279672/ from Jaromír Končický via Jiri Popelka. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix interface wildcard matchingPablo Neira Ayuso2013-12-301-22/+16
| | | | | | | | | | | | | | In (73ea1cc nft: convert rule into a command state structure), the interface wildcard matching got broken. The previous handling was flawed by the use of ifnametoindex in scenario where the interface may vanished after a rule was added. This approach relies on the trailing '\0' to identify if this is an exact or wildcard matching, based on discussion with Florian. Based on initial patch from Anand Raj Manickam. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix bad length when comparing extension data areaPablo Neira Ayuso2013-12-301-4/+2
| | | | | | | | | | | | | | | | Use ->userspacesize to compare the extension data area, otherwise we also compare the internal private pointers which are only meaningful to the kernelspace. This fixes: xtables -4 -D INPUT -m connlimit \ --connlimit-above 10 --connlimit-mask 32 --connlimit-daddr But it also fixes many other matches/targets which use internal private data. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: pass ipt_entry to ->save_firewall hookPablo Neira Ayuso2013-12-302-5/+7
| | | | | | | | | | | | The extension needs the ipt_entry not to crash. Since cs->fw actually points to an union that also contains cs->fw6, just pass cs->fw to make it work. This fixes: -A INPUT -p tcp -m multiport --ports 1,2,3,4,6,7,8,9,10,11,12,13,14,15 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: fix missing ipt_entry for MASQUERADE targetPablo Neira Ayuso2013-12-304-12/+37
| | | | | | | | | | | | | | | | | The MASQUERADE target relies on the ipt_entry information that is set in ->post_parse, which is too late. Add a new hook called ->pre_parse, that sets the protocol information accordingly. Thus: xtables -4 -A POSTROUTING -t nat -p tcp \ -j MASQUERADE --to-ports 1024 works again. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: arp: add parse_target to nft_family_ops_arpGiuseppe Longo2013-12-301-0/+1
| | | | | | | | | | | | This patch adds parse_target for arp family, fixing segfaults for xtables-arp -L after rules like: xtables-arp -A OUTPUT -o eth0 -j CLASSIFY --set-class 0:7 xtables-arp -A OUTPUT -o eth1 --h-length 6 \ -j mangle --mangle-mac-s 01:00:5e:00:01:01 Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: arp: initialize flags in nft_arp_parse_metaGiuseppe Longo2013-12-301-1/+1
| | | | | | | | This small patch initialize the flags in nft_arp_parse_meta, now the nft_arp_rule_find is working properly. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong target sizeTomasz Bursztyka2013-12-301-2/+5
| | | | | | | The allocated area was not aligned. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: Parse properly target optionsTomasz Bursztyka2013-12-301-2/+4
| | | | | | | Target never gets its options parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Header inclusion missingTomasz Bursztyka2013-12-301-0/+1
| | | | | | | | | | | | Fixes compilation issues. nft-shared.c: In function ‘nft_ipv46_rule_find’: nft-shared.c:725:2: warning: implicit declaration of function ‘nft_rule_print_save’ [-Wimplicit-function-declaration] nft-shared.c:725:32: error: ‘NFT_RULE_APPEND’ undeclared (first use in this function) nft-shared.c:725:32: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: Store target entry properly and compare them relevantlyTomasz Bursztyka2013-12-303-29/+27
| | | | | | | Fixes a segfault issue when deleting a rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: batch rule-set updates into one single netlink messagePablo Neira Ayuso2013-12-305-116/+324
| | | | | | | | With this patch, all rule-set updates are put in one single batch of netlink messages that is sent to user-space using the new nfnetlink batch infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: zeroing chain countersGiuseppe Longo2013-12-301-3/+2
| | | | | | | This small patch permit to reset the chain counters. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: add delete operationGiuseppe Longo2013-12-301-5/+28
| | | | | | | | The following patch permit to delete the rules specifying an entry or a rule number. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: adapt nft_rule_expr_get to use uint32_t instead of size_tPablo Neira Ayuso2013-12-301-4/+4
| | | | | | | According to libnftables change 437d610, now the length obtained via getter function is uint32_t, not size_t anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: arp: add rule replacement supportGiuseppe Longo2013-12-301-4/+18
| | | | | | | The following patch permit to replace rule in xtables-arp. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_* functions to support ARPPablo Neira Ayuso2013-12-303-167/+22
| | | | | | | | | | | | This should help to avoid code duplication to support ARP. As a result, we have a common generic infrastructure for IPv4, IPv6 and ARP. This patch removes nft_arp_rule_append and nft_arp_rule_insert, which were very similar to their original nft_rule_append and nft_rule_insert. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_new to support ARPPablo Neira Ayuso2013-12-305-92/+90
| | | | | | | | This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: consolidate nft_rule_find for ARP, IPv4 and IPv6Pablo Neira Ayuso2013-12-306-180/+168
| | | | | | | | | This patch kills nft_arp_rule_find, which is almost a copy and paste of the original nft_rule_find function. Refactor this function to move specific protocol parts to the corresponding nft-{ipv4,ipv6,arp}.c files. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft-arp: implements is_same op for ARP familyGiuseppe Longo2013-12-307-10/+76
| | | | | | | | The following patch implements the is_same operation for ARP family needed for searching arp rule. Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: nft-arp: fix endianess in nft_arp_parse_payloadPablo Neira Ayuso2013-12-301-6/+6
| | | | | | | | nft_arp_print_firewall already handles endianess appropriately. This fixes the output of the option that allows you to match ARP header fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: bootstrap ARP compatibility layer for nftablesGiuseppe Longo2013-12-3010-25/+2458
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch bootstraps ARP support for the compatibility layer: 1) copy original arptables code into xtables-arp.c 2) adapt it to fit into the existing nft infrastructure. 3) add the builtin table/chains for ARP. 4) add necessary parts so xtables-multi can provide xtables-arp. 5) add basic support for rule addition (-A), insertion (-I) and listing (-L). [ This was originally posted in a series of patches with interdependencies that I have collapsed to leave the repository in consistent state. This patch includes the following changes I made: * Rename from xtables-arptables to xtables-arp, previous name too long. * Remove nft-arptables.c, now we have one single nft-arp.c file. Moved specific ARP functions to nft.c. Those should go away at some point as some refactorization should allow to accomodate those functions to the existing infrastructure. * Fix --opcode Request/Reply, so we can do something useful with this like dropping ARP request/replies. --pablo ] Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: skip unset tables on table configuration emulationTomasz Bursztyka2013-12-301-0/+3
| | | | | | | | The ARP family has less tables, so skip iteration once we find a null one. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: generalize rule addition family hookPablo Neira Ayuso2013-12-303-3/+6
| | | | | | | | | | This should help Giuseppe with his ARP support works, this change was missing in (618309c nft: refactoring parse operations for more genericity). Based on patch from Giuseppe. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Fix a minor compilation warningTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | nft-shared.c: In function ‘nft_rule_to_iptables_command_state’: nft-shared.c:454:22: warning: ‘jumpto’ may be used uninitialized in this function [-Wmaybe-uninitialized] nft-shared.c:432:14: note: ‘jumpto’ was declared here All verdicts are managed and jumpto has to get a value, but since the compiler complains, let's fix it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: refactoring parse operations for more genericityGiuseppe Longo2013-12-304-32/+72
| | | | | | | | This allows to reuse the nft_parse_* function for the bridge and arp family (not yet supported). Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: allow to reset the counters of an existing ruleTomasz Bursztyka2013-12-303-8/+43
| | | | | | | | | Now that we convert nft rules to native xt command structure, it's easier to reset the counters by replacing the existing rule by a new one with all counters set to zero. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: use xtables_print_numPablo Neira Ayuso2013-12-303-31/+6
| | | | | | So we can kill our own implementation. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: fix wrong flags handling in print_firewall_detailsPablo Neira Ayuso2013-12-304-38/+53
| | | | | | | | | | | | | | Unfortunately, IPT_F_* and IP6T_F_* don't overlap, therefore, we have to add an specific function to print the fragment flag, otherwise xtables -6 misinterprets the protocol flag, ie. Chain INPUT (policy ACCEPT) tcp -f ::/0 ::/0 Note that -f should not show up. This problem was likely added with the IPv6 support for the compatibility layer. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: convert rule into a command state structureTomasz Bursztyka2013-12-307-661/+303
| | | | | | | | This helps to reduce the code complexity to have one single common path for printing, saving and looking up for the rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: use xtables_rule_matches_freePablo Neira Ayuso2013-12-301-22/+1
| | | | | | | Thus, we can kill clear_rule_matches. Not required since we are based upon 1.4.19.1. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Print unknown target data only when relevantTomasz Bursztyka2013-12-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Bug is: xtables -N test xtables -A FORWARD -j test xtables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination test all -- anywhere anywhere [0 bytes of unknown target data] Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain test (1 references) target prot opt source destination "[0 bytes of unknown target data]" should not be printed in this case. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Generalize nft_rule_list() against current familyTomasz Bursztyka2013-12-305-264/+315
| | | | | | | | | | Now, firewall rule printing is done through nft_family_ops .print_firewall function. This moves generic part for ipv4 and ipv6 into nft-shared.c, and enables reusing nft_rule_list() for other family such as ARP which will be useful for arptables compatibility tool. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless test on rulenum in nft_rule_list()Tomasz Bursztyka2013-12-301-3/+2
| | | | | | | Rulenum is already handled before the loop, making this test useless. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Make internal rule listing callback more genericTomasz Bursztyka2013-12-301-12/+8
| | | | | | | | This will be useful for reusing nft_rule_list in other tools such as xtables-arptables. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Optimize rule listing when chain and rulenum are providedTomasz Bursztyka2013-12-301-4/+10
| | | | | | | | Thus, we can save some cycles by not dumping the entire chain list and looping on it. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: Remove useless functionTomasz Bursztyka2013-12-301-27/+0
| | | | | | | Likely to be a leftover from the initial bootstrap. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* xtables: Do not dump before command parsing has been finishedTomasz Bursztyka2013-12-301-2/+8
| | | | | | | | On xtables-save.c, -d will not output right away but after the full command line hase been parsed. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>