From: Phil Sutter <phil@nwl.cc>
Date: Thu, 25 Jul 2019 15:19:13 +0000 (+0200)
Subject: nft: Set errno in nft_rule_flush()
X-Git-Tag: v1.8.4~85
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=719940f6f48d98f5b7aebe7562948f2cff6f5cf8;p=thirdparty%2Fiptables.git

nft: Set errno in nft_rule_flush()

When trying to flush a non-existent chain, errno gets set in
nft_xtables_config_load(). That is an unintended side-effect and when
support for xtables.conf is later removed, iptables-nft will emit the
generic "Incompatible with this kernel." error message instead of "No
chain/target/match by that name." as it should.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/iptables/nft.c b/iptables/nft.c
index cd42af70..9f8df541 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1804,8 +1804,10 @@ int nft_rule_flush(struct nft_handle *h, const char *chain, const char *table,
 
 	if (chain) {
 		c = nftnl_chain_list_lookup_byname(list, chain);
-		if (!c)
+		if (!c) {
+			errno = ENOENT;
 			return 0;
+		}
 
 		__nft_rule_flush(h, table, chain, verbose, false);
 		flush_rule_cache(c);