We need to re-evalute based on the existing cache generation.
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
iptables/nft.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index c1a079b734cf..bc3847d7ea47 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2782,10 +2782,10 @@ static void nft_refresh_transaction(struct nft_handle *h)
if (!tablename)
continue;
exists = nft_table_find(h, tablename);
- if (n->skip && exists)
- n->skip = 0;
- else if (!n->skip && !exists)
+ if (exists)
n->skip = 1;
+ else
+ n->skip = 0;
break;
case NFT_COMPAT_CHAIN_USER_ADD:
tablename = nftnl_chain_get_str(n->chain, NFTNL_CHAIN_TABLE);
@@ -2796,13 +2796,16 @@ static void nft_refresh_transaction(struct nft_handle *h)
if (!chainname)
continue;
+ if (!h->noflush)
+ break;
+
c = nft_chain_find(h, tablename, chainname);
- if (c && !n->skip) {
+ if (c) {
/* -restore -n flushes existing rules from redefined user-chain */
- if (h->noflush)
- __nft_rule_flush(h, tablename,
- chainname, false, true);
- } else if (!c && n->skip) {
+ __nft_rule_flush(h, tablename,
+ chainname, false, true);
+ n->skip = 1;
+ } else if (!c) {
n->skip = 0;
}
break;
--
2.11.0
