On Wed, Jul 17, 2024 at 12:43:53PM +0200, Phil Sutter wrote:
> Trying to zero a specific rule in an entirely empty ruleset caused an
> error:
>
> | # nft flush ruleset
> | # iptables-nft -Z INPUT
> | iptables v1.8.10 (nf_tables): CHAIN_ZERO failed (No such file or directory): chain INPUT
>
> To fix this, start by faking any non-existing builtin chains so verbose
> mode prints all the would-be-flushed chains. Later set 'skip' flag if
> given chain is a fake one (indicated by missing HANDLE attribute).
> Finally cover for concurrent ruleset updates by checking whether the
> chain exists.
>
> This bug seems to exist for a long time already, Fixes tag identified
> via git-bisect. This patch won't apply to such old trees though, but
> calling nft_xt_builtin_init() from nft_chain_zero_counters() should work
> there.
>
> Fixes: a6ce0c65d3a39 ("xtables: Optimize nft_chain_zero_counters()")
> Signed-off-by: Phil Sutter <phil@xxxxxx>
Patch applied.
