diff options
author | Phil Sutter <phil@nwl.cc> | 2019-06-04 19:31:51 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-06-06 11:19:19 +0200 |
commit | e0aace9434129fecd1ca2094f09dbeec46957ec3 (patch) | |
tree | a722dc056a00c037262ef0f8a0fbd21068fd8271 | |
parent | 5c1c6028dbd54dd56e57fb8a18d1e7e61586e8bf (diff) |
libnftables: Drop cache in error case
If a transaction is rejected by the kernel (for instance due to a
semantic error), cache contents are potentially invalid. Release the
cache in that case to avoid the inconsistency.
The problem is easy to reproduce in an interactive session:
| nft> list ruleset
| table ip t {
| chain c {
| }
| }
| nft> flush ruleset; add rule ip t c accept
| Error: No such file or directory
| flush ruleset; add rule ip t c accept
| ^
| nft> list ruleset
| nft>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/libnftables.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libnftables.c b/src/libnftables.c index 4bb770c0..eae78e8b 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -449,6 +449,8 @@ err: nft_output_json(&nft->output) && nft_output_echo(&nft->output)) json_print_echo(nft); + if (rc) + cache_release(&nft->cache); return rc; } @@ -497,6 +499,8 @@ err: nft_output_json(&nft->output) && nft_output_echo(&nft->output)) json_print_echo(nft); + if (rc) + cache_release(&nft->cache); return rc; } |