diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-14 21:41:23 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-02-18 15:51:29 +0100 |
commit | 454ffab9cc695b9618324a6a0a4dead6d5289f8d (patch) | |
tree | cc4dbb9dcfe4e614bc40b318917615b44b46f2f4 /src | |
parent | e356b4dcd1c5d1eb77d21daa0fb315a9e495ec7b (diff) |
rule: fix object order via nft -f
The objects need to be loaded in the following order:
#1 tables
#2 chains
#3 sets
#4 rules
We have to make sure that chains are in place by when we add rules with
jumps/gotos. Similarly, we have to make sure that the sets are in place
by when rules reference them.
Without this patch, you may hit ENOENT errors depending on your ruleset
configuration.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/rule.c | 9 |
1 files changed, 7 insertions, 2 deletions
@@ -658,14 +658,19 @@ static int do_add_table(struct netlink_ctx *ctx, const struct handle *h, if (netlink_add_table(ctx, h, loc, table, excl) < 0) return -1; if (table != NULL) { + list_for_each_entry(chain, &table->chains, list) { + if (netlink_add_chain(ctx, &chain->handle, + &chain->location, chain, + excl) < 0) + return -1; + } list_for_each_entry(set, &table->sets, list) { handle_merge(&set->handle, &table->handle); if (do_add_set(ctx, &set->handle, set) < 0) return -1; } list_for_each_entry(chain, &table->chains, list) { - if (do_add_chain(ctx, &chain->handle, &chain->location, - chain, excl) < 0) + if (netlink_add_rule_list(ctx, h, &chain->rules) < 0) return -1; } } |