nft: Fix for zeroing existent builtin chains

Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.

The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.

Instead, make use of the new fake chain annotation which identifies
fakes more reliably.

Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft.c b/iptables/nft.c
index fde3db2a22b79b1d784ce93b3b92295eccb54230..243b794f3d826c42c55611e6fd1b4b85b26eb355 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3853,7 +3853,7 @@ static int __nft_chain_zero_counters(struct nft_chain *nc, void *data)
                if (!o)
                        return -1;
                /* may skip if it is a fake entry */
-               o->skip = !nftnl_chain_is_set(c, NFTNL_CHAIN_HANDLE);
+               o->skip = nc->fake;
        }
 
        iter = nftnl_rule_iter_create(c);