On Mon, May 20, 2019 at 04:49:38PM +0200, Pablo Neira Ayuso wrote: > On Mon, May 20, 2019 at 04:41:15PM +0200, Pablo Neira Ayuso wrote: > > We need to re-evalute based on the existing cache generation. > > > > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > --- > > iptables/nft.c | 19 +++++++++++-------- > > 1 file changed, 11 insertions(+), 8 deletions(-) > > > > diff --git a/iptables/nft.c b/iptables/nft.c > > index c1a079b734cf..bc3847d7ea47 100644 > > --- a/iptables/nft.c > > +++ b/iptables/nft.c > > @@ -2782,10 +2782,10 @@ static void nft_refresh_transaction(struct nft_handle *h) > > if (!tablename) > > continue; > > exists = nft_table_find(h, tablename); > > - if (n->skip && exists) > > - n->skip = 0; > > - else if (!n->skip && !exists) > > + if (exists) > > n->skip = 1; > > + else > > + n->skip = 0; > > Actually, this should be the opposite: > > if (exists) > n->skip = 0; > else > n->skip = 1; > > So we only skip the flush if the table does not exist. > > Still not working though, hitting EEXIST on CHAIN_USER_ADD. The nfnl_unlock(subsys_id); is released after check the generation ID in nfnetlink. This is rendering the generation ID useless. We need a kernel fix for this. The per-netns mutex net->nft.commit_mutex should be handled from the nfnetlink core.
