path: root/iptables/tests/shell/testcases/ebtables
diff options
authorPhil Sutter <>2021-09-14 12:15:29 +0200
committerPhil Sutter <>2021-09-27 13:29:53 +0200
commit45d8f7690eb449fb8cc8191025d93f73cfc7f498 (patch)
treee0780f5f7e220c465537e62f85459126950f0422 /iptables/tests/shell/testcases/ebtables
parente865a853d7afcff4b2d4279ef843cd13fa6defa1 (diff)
nft: Delete builtin chains compatibly
Attempting to delete all chains if --delete-chain is called without argument has unwanted side-effects especially legacy iptables users are not aware of and won't expect: * Non-default policies are ignored, a previously dropping firewall may start accepting traffic. * The kernel refuses to remove non-empty chains, causing program abort even if no user-defined chain exists. Fix this by requiring a rule cache in that situation and make builtin chain deletion depend on its policy and number of rules. Since this may change concurrently, check again when having to refresh the transaction. Also, hide builtin chains from verbose output - their creation is implicit, so treat their removal as implicit, too. When deleting a specific chain, do not allow to skip the job though. Otherwise deleting a builtin chain which is still in use will succeed although not executed. Fixes: 61e85e3192dea ("iptables-nft: allow removal of empty builtin chains") Signed-off-by: Phil Sutter <>
Diffstat (limited to 'iptables/tests/shell/testcases/ebtables')
0 files changed, 0 insertions, 0 deletions