summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2017-10-11 00:19:27 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2017-10-11 00:19:27 +0200
commitde3c68b626cce37b3b2a41e06af9f7242b25f2a8 (patch)
treef1f70551fb86bd79f5e73524c0dad98acf3700c9
parentf4b80ce7bae8f9d10c401fdd743b73795ff1d679 (diff)
iptables-compat: do not allow to delete populated user define chains
If user chain contains rules, flush needs to happen first to retain iptables semantics. Use NLM_F_NONREC to request non-recursive chain deletion. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--iptables/nft.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 76e45466..91381419 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1455,13 +1455,18 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
return ret == 0 ? 1 : 0;
}
+/* From linux/netlink.h */
+#ifndef NLM_F_NONREC
+#define NLM_F_NONREC 0x100 /* Do not delete recursively */
+#endif
+
static int __nft_chain_del(struct nft_handle *h, struct nftnl_chain *c)
{
char buf[MNL_SOCKET_BUFFER_SIZE];
struct nlmsghdr *nlh;
nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_DELCHAIN, h->family,
- NLM_F_ACK, h->seq);
+ NLM_F_NONREC | NLM_F_ACK, h->seq);
nftnl_chain_nlmsg_build_payload(nlh, c);
return mnl_talk(h, nlh, NULL, NULL);
@@ -2349,7 +2354,8 @@ static int nft_action(struct nft_handle *h, int action)
break;
case NFT_COMPAT_CHAIN_USER_DEL:
nft_compat_chain_batch_add(h, NFT_MSG_DELCHAIN,
- 0, seq++, n->chain);
+ NLM_F_NONREC, seq++,
+ n->chain);
break;
case NFT_COMPAT_CHAIN_UPDATE:
nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,