iptables-compat: fix empty chains after first invocation of iptables-compat -L

 # iptables-compat -L
 # iptables-compat -L
 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination

Note that the second (and follow up) invocations after the first one
display the chains.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 52c89b94e4619e014aaea45aa9abca3217b59894..5492a8fd42ea0da4b2958125248aa4615475963c 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1937,8 +1937,14 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
        bool found = false;
 
        /* If built-in chains don't exist for this table, create them */
-       if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
+       if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) {
                nft_xt_builtin_init(h, table);
+               /* Force table and chain creation, otherwise first iptables -L
+                * lists no table/chains.
+                */
+               if (!list_empty(&h->obj_list))
+                       nft_commit(h);
+       }
 
        ops = nft_family_ops_lookup(h->family);