path: root/iptables
diff options
authorPhil Sutter <>2020-05-06 13:33:20 +0200
committerPhil Sutter <>2020-05-11 14:28:29 +0200
commitb199aca80da5741add50cce244492cc005230b66 (patch)
treeb770ea139885a8734725b3c729a87e14a3437157 /iptables
parentb3b7eb6ce8773bcc76f603ebb0e606001894da34 (diff)
nft: Fix leak when replacing a rule
If nft_rule_append() is called with a reference rule, it is supposed to insert the new rule at the reference position and then remove the reference from cache. Instead, it removed the new rule from cache again right after inserting it. Also, it missed to free the removed rule. Fixes: 5ca9acf51adf9 ("xtables: Fix position of replaced rules in cache") Signed-off-by: Phil Sutter <>
Diffstat (limited to 'iptables')
1 files changed, 2 insertions, 1 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 01268f78..3c0daa8d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1429,7 +1429,8 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
if (ref) {
nftnl_chain_rule_insert_at(r, ref);
- nftnl_chain_rule_del(r);
+ nftnl_chain_rule_del(ref);
+ nftnl_rule_free(ref);
} else {
c = nft_chain_find(h, table, chain);
if (!c) {