From 7345037e08a385e078350de1006f5ee2299cd2ef Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 6 Sep 2018 19:33:20 +0200 Subject: xtables-restore: Fix flushing referenced custom chains The logic to replicate 'iptables-restore --noflush' behaviour of flushing custom chains if listed in the dump was broken for chains being referenced. A minimal dump reproducing the issue is: | *filter | :foobar - [0:0] | -I INPUT -j foobar | -A foobar -j ACCEPT | COMMIT With --noflush, this can be restored just once in iptables-nft-restore. Consecutive attempts return an error since xtables tries to delete the referenced chain and recreate it instead of performing a real flush. Fix this by really flushing the custom chain in 'chain_user_flush' callback and running 'chain_user_add' callback only if the chain doesn't exist already. Fixes: df3d92bec6007 ("xtables-compat-restore: flush user-defined chains with -n") Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal --- iptables/nft.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) (limited to 'iptables/nft.c') diff --git a/iptables/nft.c b/iptables/nft.c index 7123060b..77ad38be 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1491,7 +1491,6 @@ static int __nft_chain_user_flush(struct nftnl_chain *c, void *data) struct nft_handle *h = d->handle; const char *table = d->table; const char *chain = d->chain; - int ret; if (strcmp(table, table_name) != 0) return 0; @@ -1499,13 +1498,8 @@ static int __nft_chain_user_flush(struct nftnl_chain *c, void *data) if (strcmp(chain, chain_name) != 0) return 0; - if (!nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) { - ret = batch_chain_add(h, NFT_COMPAT_CHAIN_USER_FLUSH, c); - if (ret < 0) - return ret; - - nftnl_chain_list_del(c); - } + if (!nftnl_chain_is_set(c, NFTNL_CHAIN_HOOKNUM)) + __nft_rule_flush(h, table, chain); return 0; } -- cgit v1.2.3