Zeroing rule counters was broken in two ways: On one hand, cache optimizations went a little too far (actually I missed that rule cache is required for CMD_ZERO). On the other, rule replace logic was insufficient with regards to NFTA_RULE_COMPAT attribute (elaborate details in second patch). Phil Sutter (2): nft: CMD_ZERO needs a rule cache nft: Fix -Z for rules with NFTA_RULE_COMPAT iptables/nft.c | 41 ++++++++++++++++++++++++++++++++++++++ iptables/xtables-restore.c | 1 + 2 files changed, 42 insertions(+) -- 2.24.0
