mnl: don't set NLM_F_ACK flag in mnl_nft_rule_batch_[add|del]

If the NLM_F_ACK flag is unset, the kernel still explicitly reports
errors. Thus, we can save the handling of many explicit (useless) ack
messages that indicate success.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/mnl.c b/src/mnl.c
index 4f515e1462a2b5c29fed64ddd4de5840f9e2f4c1..fe218fccc807efa238a895291344c45270650783 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -273,7 +273,7 @@ int mnl_nft_rule_batch_add(struct nft_rule *nlr, unsigned int flags,
        nlh = nft_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
                        NFT_MSG_NEWRULE,
                        nft_rule_attr_get_u32(nlr, NFT_RULE_ATTR_FAMILY),
-                       flags|NLM_F_ACK|NLM_F_CREATE, seqnum);
+                       flags|NLM_F_CREATE, seqnum);
 
        nft_rule_nlmsg_build_payload(nlh, nlr);
        if (!mnl_nlmsg_batch_next(batch))
@@ -290,7 +290,7 @@ int mnl_nft_rule_batch_del(struct nft_rule *nlr, unsigned int flags,
        nlh = nft_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
                        NFT_MSG_DELRULE,
                        nft_rule_attr_get_u32(nlr, NFT_RULE_ATTR_FAMILY),
-                       NLM_F_ACK, seqnum);
+                       0, seqnum);
 
        nft_rule_nlmsg_build_payload(nlh, nlr);