In order to zero rule counters, they have to be fetched from kernel. Fix
this for both standalone calls as well as xtables-restore --noflush.
Fixes: b5cb6e631c828 ("nft-cache: Fetch only chains in nft_chain_list_get()")
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 2 ++
iptables/xtables-restore.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 3c230c121f8b9..83cf5fb703d3e 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2922,6 +2922,8 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data)
return -1;
}
+ nft_build_cache(h, c);
+
iter = nftnl_rule_iter_create(c);
if (iter == NULL)
return -1;
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 282aa153b1599..2f0fe7d439d94 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -268,6 +268,7 @@ static bool cmd_needs_full_cache(char *cmd)
case 'C':
case 'S':
case 'L':
+ case 'Z':
return true;
}
--
2.24.0
