On Mon, May 20, 2019 at 04:41:15PM +0200, Pablo Neira Ayuso wrote:
> We need to re-evalute based on the existing cache generation.
>
> Signed-off-by: Pablo Neira Ayuso <[email protected]>
> ---
> iptables/nft.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/iptables/nft.c b/iptables/nft.c
> index c1a079b734cf..bc3847d7ea47 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -2782,10 +2782,10 @@ static void nft_refresh_transaction(struct nft_handle
> *h)
> if (!tablename)
> continue;
> exists = nft_table_find(h, tablename);
> - if (n->skip && exists)
> - n->skip = 0;
> - else if (!n->skip && !exists)
> + if (exists)
> n->skip = 1;
> + else
> + n->skip = 0;
Actually, this should be the opposite:
if (exists)
n->skip = 0;
else
n->skip = 1;
So we only skip the flush if the table does not exist.
Still not working though, hitting EEXIST on CHAIN_USER_ADD.
