From f9b33967f2b4b58160c0a970da77d5e44406803a Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 21 Sep 2021 16:42:36 +0200 Subject: nft: Check base-chain compatibility when adding to cache With introduction of dedicated base-chain slots, a selection process was established as no longer all base-chains ended in the same chain list for later searching/checking but only the first one found for each hook matching criteria is kept and the rest discarded. A side-effect of the above is that table compatibility checking started to omit consecutive base-chains, making iptables-nft less restrictive as long as the expected base-chains were returned first from kernel when populating the cache. Make behaviour consistent and warn users about the possibly disturbing chains found by: * Run all base-chain checks from nft_is_chain_compatible() before allowing a base-chain to occupy its slot. * If an unfit base-chain was found (and discarded), flag the table's cache as tainted and warn about it if the remaining ruleset is otherwise compatible. Since base-chains that remain in cache would pass nft_is_chain_compatible() checking, remove that and reduce it to rule inspection. Signed-off-by: Phil Sutter --- iptables/tests/shell/testcases/chain/0004extra-base_0 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'iptables/tests') diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 index 1b85b060..cc07e4be 100755 --- a/iptables/tests/shell/testcases/chain/0004extra-base_0 +++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 @@ -13,6 +13,10 @@ set -e nft -f - <