Most commands either don't assign to obj.rule or pass it on when creating a batch job. Check and delete commands are the exception to that. One could free the rule inside nft_rule_check() and nft_rule_delete() as well, but since only the pointer is passed to them via parameter, the pointer would remain set afterwards. So instead do that from the proper routine. At some point, structs nft_cmd and obj_update should be merged and consequently the functions called from nft_prepare() be given full control over that combined struct so they can zero pointers if data is reused or leave set to get them freed. Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/nft-cmd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c index 3c0c6a34515e4..1f46dc6c369cc 100644 --- a/iptables/nft-cmd.c +++ b/iptables/nft-cmd.c @@ -57,7 +57,14 @@ void nft_cmd_free(struct nft_cmd *cmd) free((void *)cmd->rename); free((void *)cmd->jumpto); - /* cmd->obj.rule not released here. */ + switch (cmd->command) { + case NFT_COMPAT_RULE_CHECK: + case NFT_COMPAT_RULE_DELETE: + free(cmd->obj.rule); + break; + default: + break; + } list_del(&cmd->head); free(cmd); -- 2.25.1