From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 11 May 2026 19:51:43 +0000 (+0200)
Subject: cache: honor -c/--check for reset commands
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25f2ff13cf6bc84a16febddcf8c3eda2018c7ece;p=thirdparty%2Fnftables.git

cache: honor -c/--check for reset commands

Currently:

  nft -c reset rules ip x

ignores -c/--check.

The reset and list commands use the netlink GET/DUMP nfnetlink API which
provides no check semantics, compared to the NEW/DELETE nfnetlink batch
API which indeed does.

Emulate -c/--check for the reset command by handling this as a list
command, so the state of the objects is just listed, not reset. This
allows to check for presence and dump the content of the objects.

Fixes: dbff26bfba83 ("cache: consolidate reset command")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/cache.c b/src/cache.c
index bad82753..75b4877d 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -516,7 +516,10 @@ int nft_cache_evaluate(struct nft_ctx *nft, struct list_head *cmds,
 			flags = evaluate_cache_get(cmd, flags);
 			break;
 		case CMD_RESET:
-			flags = evaluate_cache_reset(cmd, flags, filter);
+			if (nft->check)
+				flags = evaluate_cache_list(nft, cmd, flags, filter);
+			else
+				flags = evaluate_cache_reset(cmd, flags, filter);
 			break;
 		case CMD_LIST:
 			flags = evaluate_cache_list(nft, cmd, flags, filter);