From: Florian Westphal Date: Thu, 7 Mar 2019 22:20:11 +0000 (+0100) Subject: netfilter: nf_tables: return immediately on empty commit X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=b8b27498659c65034032af79842913844a6cc79a;p=openwrt%2Fstaging%2Fblogic.git netfilter: nf_tables: return immediately on empty commit When running 'nft flush ruleset' while no rules exist, we will increment the generation counter and announce a new genid to userspace, yet nothing had changed in the first place. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9d8f51dfc593..513f93118604 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6564,6 +6564,11 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) struct nft_chain *chain; struct nft_table *table; + if (list_empty(&net->nft.commit_list)) { + mutex_unlock(&net->nft.commit_mutex); + return 0; + } + /* 0. Validate ruleset, otherwise roll back for error reporting. */ if (nf_tables_validate(net) < 0) return -EAGAIN;