rule: don't put NFTA_RULE_EXPRESSION into messages

If there are no expressions in this rule, skip the
NFTA_RULE_EXPRESSION attribute, otherwise it will be
empty.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/rule.c b/src/rule.c
index 2e7be6f7a209f61c8ef5f50d7513a86b60523860..3fac5c24deb1887292aefa43415a295a1c3e9705 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -264,11 +264,13 @@ void nft_rule_nlmsg_build_payload(struct nlmsghdr *nlh, struct nft_rule *r)
        if (r->flags & (1 << NFT_RULE_ATTR_FLAGS))
                mnl_attr_put_u32(nlh, NFTA_RULE_FLAGS, htonl(r->rule_flags));
 
-       nest = mnl_attr_nest_start(nlh, NFTA_RULE_EXPRESSIONS);
-       list_for_each_entry(expr, &r->expr_list, head) {
-               nft_rule_expr_build_payload(nlh, expr);
+       if (!list_empty(&r->expr_list)) {
+               nest = mnl_attr_nest_start(nlh, NFTA_RULE_EXPRESSIONS);
+               list_for_each_entry(expr, &r->expr_list, head) {
+                       nft_rule_expr_build_payload(nlh, expr);
+               }
+               mnl_attr_nest_end(nlh, nest);
        }
-       mnl_attr_nest_end(nlh, nest);
 
        if (r->flags & (1 << NFT_RULE_ATTR_COMPAT_PROTO) &&
            r->flags & (1 << NFT_RULE_ATTR_COMPAT_FLAGS)) {