From 0aad20f3979e3b6becd40e4ed5bba8d09d90706e Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sun, 20 Jan 2013 22:32:43 +0100 Subject: xtables: purge out user-define chains from the kernel xtables-restore has to purge out user-defined chains that are not defined in the configuration file. Signed-off-by: Pablo Neira Ayuso --- iptables/xtables-restore.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'iptables/xtables-restore.c') diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index f6009776..9778a9f7 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -16,6 +16,7 @@ #include "libiptc/libiptc.h" #include "xtables-multi.h" #include "nft.h" +#include #ifdef DEBUG #define DEBUGP(x, args...) fprintf(stderr, x, ## args) @@ -171,6 +172,8 @@ xtables_restore_main(int argc, char *argv[]) int in_table = 0, testing = 0; const char *tablename = NULL; const struct xtc_ops *ops = &iptc_ops; + struct nft_chain_list *chain_list; + struct nft_chain *chain_obj; line = 0; @@ -233,6 +236,10 @@ xtables_restore_main(int argc, char *argv[]) } else in = stdin; + chain_list = nft_chain_dump(&h); + if (chain_list == NULL) + xtables_error(OTHER_PROBLEM, "cannot retrieve chain list\n"); + /* Grab standard input. */ while (fgets(buffer, sizeof(buffer), in)) { int ret = 0; @@ -259,6 +266,10 @@ xtables_restore_main(int argc, char *argv[]) ret = 1; } in_table = 0; + + /* Purge out unused chains in this table */ + nft_table_purge_chains(&h, curtable, chain_list); + } else if ((buffer[0] == '*') && (!in_table)) { /* New table */ char *table; @@ -282,10 +293,6 @@ xtables_restore_main(int argc, char *argv[]) DEBUGP("Cleaning all chains of table '%s'\n", table); nft_rule_flush(&h, NULL, table); - - DEBUGP("Deleting all user-defined chains " - "of table '%s'\n", table); - nft_chain_user_del(&h, NULL, table); } ret = 1; @@ -305,6 +312,14 @@ xtables_restore_main(int argc, char *argv[]) exit(1); } + chain_obj = nft_chain_list_find(&h, chain_list, + curtable, chain); + /* This chain has been found, delete from list. Later + * on, unvisited chains will be purged out. + */ + if (chain_obj != NULL) + nft_chain_list_del(chain_obj); + if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, "Invalid chain name `%s' " -- cgit v1.2.3