On Mon, May 20, 2019 at 04:41:15PM +0200, Pablo Neira Ayuso wrote: > We need to re-evalute based on the existing cache generation. > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > iptables/nft.c | 19 +++++++++++-------- > 1 file changed, 11 insertions(+), 8 deletions(-) > > diff --git a/iptables/nft.c b/iptables/nft.c > index c1a079b734cf..bc3847d7ea47 100644 > --- a/iptables/nft.c > +++ b/iptables/nft.c > @@ -2782,10 +2782,10 @@ static void nft_refresh_transaction(struct nft_handle *h) > if (!tablename) > continue; > exists = nft_table_find(h, tablename); > - if (n->skip && exists) > - n->skip = 0; > - else if (!n->skip && !exists) > + if (exists) > n->skip = 1; > + else > + n->skip = 0; Actually, this should be the opposite: if (exists) n->skip = 0; else n->skip = 1; So we only skip the flush if the table does not exist. Still not working though, hitting EEXIST on CHAIN_USER_ADD.
