libnftables: Drop cache in error case

If a transaction is rejected by the kernel (for instance due to a semantic error), cache contents are potentially invalid. Release the cache in that case to avoid the inconsistency. The problem is easy to reproduce in an interactive session: | nft> list ruleset | table ip t { | chain c { | } | } | nft> flush ruleset; add rule ip t c accept | Error: No such file or directory | flush ruleset; add rule ip t c accept | ^ | nft> list ruleset | nft> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2019-06-04 19:31:51 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2019-06-06 11:19:19 +0200
commit: e0aace9434129fecd1ca2094f09dbeec46957ec3 (patch)
tree: a722dc056a00c037262ef0f8a0fbd21068fd8271
parent: 5c1c6028dbd54dd56e57fb8a18d1e7e61586e8bf (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libnftables.c b/src/libnftables.c
index 4bb770c0..eae78e8b 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -449,6 +449,8 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
+	if (rc)
+		cache_release(&nft->cache);
 	return rc;
 }
 
@@ -497,6 +499,8 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
+	if (rc)
+		cache_release(&nft->cache);
 	return rc;
 }
author	Phil Sutter <phil@nwl.cc>	2019-06-04 19:31:51 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2019-06-06 11:19:19 +0200
commit	e0aace9434129fecd1ca2094f09dbeec46957ec3 (patch)
tree	a722dc056a00c037262ef0f8a0fbd21068fd8271
parent	5c1c6028dbd54dd56e57fb8a18d1e7e61586e8bf (diff)