On Thu, Jul 13, 2023 at 01:07:36PM +0200, Phil Sutter wrote:
> On Wed, Jul 12, 2023 at 07:13:50PM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jul 12, 2023 at 11:59:12AM +0200, Pablo Neira Ayuso wrote:
> > > diff --git a/iptables/nft.c b/iptables/nft.c
> > > index 1cb104e75ccc..59e3fa7079c4 100644
> > > --- a/iptables/nft.c
> > > +++ b/iptables/nft.c
> > [...]
> > > @@ -2878,6 +2888,9 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
> > > {
> > > struct iptables_command_state cs = {};
> > > struct nftnl_rule *r, *new_rule;
> > > + struct nft_rule_ctx ctx = {
> > > + .command = NFT_COMPAT_RULE_ZERO,
> >
> > BTW. I changed this to:
> >
> > .command = NFT_COMPAT_RULE_APPEND,
> >
> > before pushing it out, for the record.
>
> Hmm. :)
>
> I'm curious how to trigger the problem. Could you please provide a
> test-case?
I suspect a problem might occur if the rule that is zeroed generates a
native expression.
nft_rule_zero_counters() calls _append() in practise, to readd the
rule after deleting it to zero the counters.
