]> git.ipfire.org Git - thirdparty/iptables.git/commitdiff
projects / thirdparty / iptables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5412ccb)
nft: Create builtin chains with counters enabled
authorPhil Sutter <phil@nwl.cc>
Thu, 10 Aug 2023 09:30:59 +0000 (11:30 +0200)
committerPhil Sutter <phil@nwl.cc>
Thu, 10 Aug 2023 12:14:25 +0000 (14:14 +0200)
The kernel enables policy counters for nftables chains only if
NFTA_CHAIN_COUNTERS attribute is present. For this to be generated, one
has to set NFTNL_CHAIN_PACKETS and NFTNL_CHAIN_BYTES attributes in the
allocated nftnl_chain object.

The above happened for base chains only with iptables-nft-restore if
called with --counters flag. Since this is very unintuitive to users,
fix the situation by adding counters to base chains in any case.

Fixes: 384958620abab ("use nf_tables and nf_tables compatibility interface")
Signed-off-by: Phil Sutter <phil@nwl.cc>
iptables/nft.c patch | blob | blame | history

diff --git a/iptables/nft.c b/iptables/nft.c
index 326dc20b21d652b27c3b2ae9e9e92f04c850fffc..97fd4f49fdb4cf38cf74d24d9de0b44383e809ce 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -701,6 +701,9 @@ nft_chain_builtin_alloc(int family, const char *tname,
 
        nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type);
 
+       nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, 0);
+       nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, 0);
+
        return c;
 }
 
@@ -961,6 +964,7 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
                                       int policy,
                                       const struct xt_counters *counters)
 {
+       static const struct xt_counters zero = {};
        struct nftnl_chain *c;
        const struct builtin_table *_t;
        const struct builtin_chain *_c;
@@ -985,12 +989,10 @@ static struct nftnl_chain *nft_chain_new(struct nft_handle *h,
                return NULL;
        }
 
-       if (counters) {
-               nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES,
-                                       counters->bcnt);
-               nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS,
-                                       counters->pcnt);
-       }
+       if (!counters)
+               counters = &zero;
+       nftnl_chain_set_u64(c, NFTNL_CHAIN_BYTES, counters->bcnt);
+       nftnl_chain_set_u64(c, NFTNL_CHAIN_PACKETS, counters->pcnt);
 
        return c;
 }
Mirror of git://git.netfilter.org/iptables