xtables: Fix for no output on first iptables-nft invocation

Fix the same issue commit a4e78370af849 ("iptables-compat: fix empty
chains after first invocation of iptables-compat -L") fixed back in
2014. Seems like some changes since then broke it again.

This time, existing cache not containing the added table/chains gets
into the way, so clear it if nft_commit() was called.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index 098b37ed8050e6031f50a101c585015a4b14bae5..f9bd0ed22a6746187804850b3a7a681b2ae94741 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2235,8 +2235,10 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
                /* Force table and chain creation, otherwise first iptables -L
                 * lists no table/chains.
                 */
-               if (!list_empty(&h->obj_list))
+               if (!list_empty(&h->obj_list)) {
                        nft_commit(h);
+                       flush_chain_cache(h, NULL);
+               }
        }
 
        ops = nft_family_ops_lookup(h->family);