In batch_obj_del(), objects of type NFT_COMPAT_CHAIN_ADD are ignored and their attached nftnl_chain instance is not freed. This is because that chain may come from the chain cache (e.g. when zeroing counters) and is therefore freed when clearing the cache. When adding a builtin chain though, nft_chain_builtin_add() is called which creates a new nftnl_chain instance and adds it to a batch object of above type. Add this instance to the chain cache so that it is freed along with the other instances. Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft.c | 1 + 1 file changed, 1 insertion(+) diff --git a/iptables/nft.c b/iptables/nft.c index 347a4438e7bca..ce27a7cf7c573 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -625,6 +625,7 @@ static void nft_chain_builtin_add(struct nft_handle *h, return; batch_chain_add(h, NFT_COMPAT_CHAIN_ADD, c); + nftnl_chain_list_add(c, h->chain_cache); } /* find if built-in table already exists */ -- 2.18.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
