libnftables: Drop cache in error case

If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.

The problem is easy to reproduce in an interactive session:

| nft> list ruleset
| table ip t {
| 	chain c {
| 	}
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
|                            ^
| nft> list ruleset
| nft>

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/libnftables.c b/src/libnftables.c
index 4bb770c07819639948736fee3c72351bd2ea0542..eae78e8be9d79f6a1577d323eb02add8df2dbcd8 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -449,6 +449,8 @@ err:
            nft_output_json(&nft->output) &&
            nft_output_echo(&nft->output))
                json_print_echo(nft);
+       if (rc)
+               cache_release(&nft->cache);
        return rc;
 }
 
@@ -497,6 +499,8 @@ err:
            nft_output_json(&nft->output) &&
            nft_output_echo(&nft->output))
                json_print_echo(nft);
+       if (rc)
+               cache_release(&nft->cache);
        return rc;
 }