iptables-nft: fix basechain policy configuration

Previous to this patch, the basechain policy could not be properly configured if it wasn't explictly set when loading the ruleset, leading to iptables-nft-restore (and ip6tables-nft-restore) trying to send an invalid ruleset to the kernel. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-02 13:44:36 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-08 19:24:12 +0200
commit: 0bd7a8eaf3582159490ab355b1217a4e42ed021f (patch)
tree: b576f86f1f2fb87d01230e6f4ab52dc909adf608 /iptables/nft.c
parent: e98b825a037807bf6c918eb66ee9682cc4c46183 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 3958bba2..ccbbccb5 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -679,7 +679,9 @@ nft_chain_builtin_alloc(const struct builtin_table *table,
 	nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name);
 	nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook);
 	nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio);
-	nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+	if (policy >= 0)
+		nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+
 	nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type);
 
 	return c;
@@ -911,6 +913,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
 		c = nft_chain_new(h, table, chain, NF_DROP, counters);
 	else if (strcmp(policy, "ACCEPT") == 0)
 		c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+	else if (strcmp(policy, "-") == 0)
+		c = nft_chain_new(h, table, chain, -1, counters);
 	else
 		errno = EINVAL;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-02 13:44:36 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-10-08 19:24:12 +0200
commit	0bd7a8eaf3582159490ab355b1217a4e42ed021f (patch)
tree	b576f86f1f2fb87d01230e6f4ab52dc909adf608 /iptables/nft.c
parent	e98b825a037807bf6c918eb66ee9682cc4c46183 (diff)