nft: Fix error reporting for refreshed transactions

When preparing a batch from the list of batch objects in nft_action(),
the sequence number used for each object is stored within that object
for later matching against returned error messages. Though if the
transaction has to be refreshed, some of those objects may be skipped,
other objects take over their sequence number and errors are matched to
skipped objects. Avoid this by resetting the skipped object's sequence
number to zero.

Fixes: 58d7de0181f61 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Reviewed-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index b148b8fafca1992782ba53d3cbb8ba7c69403dd2..3958bba25519f1a329d1a118e3a2248e81d6e88d 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2714,9 +2714,10 @@ retry:
        h->nft_genid++;
 
        list_for_each_entry(n, &h->obj_list, head) {
-
-               if (n->skip)
+               if (n->skip) {
+                       n->seq = 0;
                        continue;
+               }
 
                n->seq = seq++;
                switch (n->type) {