nft: Set errno in nft_rule_flush()

When trying to flush a non-existent chain, errno gets set in
nft_xtables_config_load(). That is an unintended side-effect and when
support for xtables.conf is later removed, iptables-nft will emit the
generic "Incompatible with this kernel." error message instead of "No
chain/target/match by that name." as it should.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index cd42af70b54ef99284b50da5a7bd6c982d1bac71..9f8df5414d4c4d4cb7bd2b5a359087b26a239c86 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1804,8 +1804,10 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
 
        if (chain) {
                c = nftnl_chain_list_lookup_byname(list, chain);
-               if (!c)
+               if (!c) {
+                       errno = ENOENT;
                        return 0;
+               }
 
                __nft_rule_flush(h, table, chain, verbose, false);
                flush_rule_cache(c);