nft: don't print rule counters unless verbose

Currently rule counters are always printed, but that's not the desired
behavior. We should only print them with the verbose flag. This broke
when the arguments of nft_rule_print_save() were changed to accept the
format instead of a counters flag.

Fixes: cdc78b1d6bd7 ("nft: convert rule into a command state structure")
Signed-off-by: Eric Garver <e@erig.me>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index 347a4438e7bca4d2601e17f63b26a2cc973bd48d..a9cb92edbf1112723d41653518ab51cd38dd2945 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2270,7 +2270,7 @@ err:
 static void
 list_save(struct nftnl_rule *r, unsigned int num, unsigned int format)
 {
-       nft_rule_print_save(r, NFT_RULE_APPEND, !(format & FMT_NOCOUNTS));
+       nft_rule_print_save(r, NFT_RULE_APPEND, format);
 }
 
 static int

diff --git a/iptables/tests/shell/testcases/ipt-save/0005iptables_0 b/iptables/tests/shell/testcases/ipt-save/0005iptables_0
new file mode 100755 (executable)
index 0000000..d5eb76a
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0005iptables_0
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -e
+
+tmpfile1=$(mktemp)
+tmpfile2=$(mktemp)
+
+clean_tmpfile()
+{
+       rm -f "$tmpfile1" "$tmpfile2"
+}
+
+trap clean_tmpfile EXIT
+
+
+cat > $tmpfile1<<EOF
+-P INPUT ACCEPT
+-P FORWARD ACCEPT
+-P OUTPUT ACCEPT
+-N FOO
+-A FOO -j DROP
+EOF
+
+$XT_MULTI iptables -N FOO
+$XT_MULTI iptables -A FOO -j DROP
+$XT_MULTI iptables -S > $tmpfile2
+
+diff -u $tmpfile1 $tmpfile2
+
+rm -f $tmpfile1 $tmpfile2