In order to zero rule counters, they have to be fetched from kernel. Fix this for both standalone calls as well as xtables-restore --noflush. Fixes: b5cb6e631c828 ("nft-cache: Fetch only chains in nft_chain_list_get()") Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft.c | 2 ++ iptables/xtables-restore.c | 1 + 2 files changed, 3 insertions(+) diff --git a/iptables/nft.c b/iptables/nft.c index 3c230c121f8b9..83cf5fb703d3e 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2922,6 +2922,8 @@ static int __nft_chain_zero_counters(struct nftnl_chain *c, void *data) return -1; } + nft_build_cache(h, c); + iter = nftnl_rule_iter_create(c); if (iter == NULL) return -1; diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 282aa153b1599..2f0fe7d439d94 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -268,6 +268,7 @@ static bool cmd_needs_full_cache(char *cmd) case 'C': case 'S': case 'L': + case 'Z': return true; } -- 2.24.0