nftables/backport-libnftables-Drop-cache-in-c-check-mode.patch

From 458e91a954abe4b7fb4ba70901c7da28220c446a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 31 Jul 2023 12:29:55 +0200
Subject: [PATCH] libnftables: Drop cache in -c/--check mode

Extend e0aace943412 ("libnftables: Drop cache in error case") to also
drop the cache with -c/--check, this is a dry run mode and kernel does
not get any update.

This fixes a bug with -o/--optimize, which first runs in an implicit
-c/--check mode to validate that the ruleset is correct, then it
provides the proposed optimization. In this case, if the cache is not
emptied, old objects in the cache refer to scanner data that was
already released, which triggers BUG like this:

 BUG: invalid input descriptor type 151665524
 nft: erec.c:161: erec_print: Assertion `0' failed.
 Aborted

This bug was triggered in a ruleset that contains a set for geoip
filtering. This patch also extends tests/shell to cover this case.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/libnftables.c                                     |  11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index 6fc4f7db..e214abb6 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -543,8 +543,10 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
-	if (rc)
+
+	if (rc || nft->check)
 		nft_cache_release(&nft->cache);
+
 	return rc;
 }
 
@@ -650,8 +652,11 @@ err:
 	    nft_output_json(&nft->output) &&
 	    nft_output_echo(&nft->output))
 		json_print_echo(nft);
-	if (rc)
+
+	if (rc || nft->check)
 		nft_cache_release(&nft->cache);
-       scope_release(nft->state->scopes[0]);
+
+	scope_release(nft->state->scopes[0]);
+
 	return rc;
 }
-- 
2.33.0