If batch_rule_add() fails, this function leaked the rule iterator
object.
Fixes: 4c54c892443c2 ("xtables: Catch errors when zeroing rule rounters")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 6354b7e8e72fe..dab1db59ec971 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3374,8 +3374,10 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
* rule based on its handle only.
*/
nftnl_rule_unset(r, NFTNL_RULE_POSITION);
- if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r))
+ if (!batch_rule_add(h, NFT_COMPAT_RULE_REPLACE, r)) {
+ nftnl_rule_iter_destroy(iter);
return -1;
+ }
}
r = nftnl_rule_iter_next(iter);
}
--
2.21.0
