xtables-compat-restore: flush user-defined chains with -n

-n still flushes user-defined chains and its content, the following snippet:

 iptables-compat -N FOO
 iptables-compat -I INPUT
 iptables-compat -I FOO
 iptables-compat -I FOO
 iptables-compat-save > A
 iptables-compat-restore < A
 iptables-compat -N BAR
 iptables-compat -A BAR
 iptables-compat-restore -n < A

results in:

 iptables-compat-save
 # Generated by xtables-save v1.6.2 on Mon May  7 17:18:44 2018
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :BAR - [0:0]
 :FOO - [0:0]
 -A INPUT
 -A INPUT
 -A BAR
 -A FOO
 -A FOO
 COMMIT
 # Completed on Mon May  7 17:18:44 2018

Still, user-defined chains that are not re-defined, such as BAR, are
left in place.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 14 insertions, 2 deletions

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 6e7652ff..ac753c43 100644
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -196,6 +196,7 @@ struct nft_xt_restore_cb restore_cb = {
 	.commit		= nft_commit,
 	.abort		= nft_abort,
 	.table_flush	= nft_table_flush,
+	.chain_user_flush = nft_chain_user_flush,
 	.chain_del	= chain_delete,
 	.do_command	= do_commandx,
 	.chain_set	= nft_chain_set,
@@ -294,8 +295,19 @@ void xtables_restore_parse(struct nft_handle *h,
 				exit(1);
 			}
 
-			if (cb->chain_del)
-				cb->chain_del(chain_list, curtable, chain);
+			if (noflush == 0) {
+				if (cb->chain_del)
+					cb->chain_del(chain_list, curtable,
+						      chain);
+			} else {
+				/* Apparently -n still flushes existing user
+				 * defined chains that are redefined. Otherwise,
+				 * leave them as is.
+				 */
+				if (cb->chain_user_flush)
+					cb->chain_user_flush(h, chain_list,
+							     curtable, chain);
+			}
 
 			if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN)
 				xtables_error(PARAMETER_PROBLEM,