From: Phil Sutter <phil@nwl.cc>
Date: Sat, 27 Jul 2024 14:04:31 +0000 (+0200)
Subject: nft: Fix for zeroing existent builtin chains
X-Git-Tag: v1.8.11~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a2aeda7585e07c0fcccb0c788299ab5a6a85881;p=thirdparty%2Fiptables.git

nft: Fix for zeroing existent builtin chains

Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.

The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.

Instead, make use of the new fake chain annotation which identifies
fakes more reliably.

Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/iptables/nft.c b/iptables/nft.c
index fde3db2a..243b794f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3853,7 +3853,7 @@ static int __nft_chain_zero_counters(struct nft_chain *nc, void *data)
 		if (!o)
 			return -1;
 		/* may skip if it is a fake entry */
-		o->skip = !nftnl_chain_is_set(c, NFTNL_CHAIN_HANDLE);
+		o->skip = nc->fake;
 	}
 
 	iter = nftnl_rule_iter_create(c);