From: Phil Sutter <phil@nwl.cc>
Date: Tue, 4 Jun 2019 17:31:51 +0000 (+0200)
Subject: libnftables: Drop cache in error case
X-Git-Tag: v0.9.1~44
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e0aace943412;p=thirdparty%2Fnftables.git

libnftables: Drop cache in error case

If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.

The problem is easy to reproduce in an interactive session:

| nft> list ruleset
| table ip t {
| 	chain c {
| 	}
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
|                            ^
| nft> list ruleset
| nft>

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/libnftables.c b/src/libnftables.c
index 4bb770c0..eae78e8b 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -449,6 +449,8 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
+	if (rc)
+		cache_release(&nft->cache);
 	return rc;
 }
 
@@ -497,6 +499,8 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
+	if (rc)
+		cache_release(&nft->cache);
 	return rc;
 }