Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.
The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.
Instead, make use of the new fake chain annotation which identifies
fakes more reliably.
Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index fde3db2a22b79..243b794f3d826 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3853,7 +3853,7 @@ static int __nft_chain_zero_counters(struct nft_chain *nc, void *data)
if (!o)
return -1;
/* may skip if it is a fake entry */
- o->skip = !nftnl_chain_is_set(c, NFTNL_CHAIN_HANDLE);
+ o->skip = nc->fake;
}
iter = nftnl_rule_iter_create(c);
--
2.43.0
