diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-23 12:42:11 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-10-24 12:18:30 +0200 |
commit | b06fcdb858deefe35baaaf2f2f912616fb38644b (patch) | |
tree | 4e2e07d267894b56840c16e74991826c610e37ab /iptables/nft.c | |
parent | 2dde9356888733a98867a4e769609f9f59a3bf65 (diff) |
iptables-compat: fix chain policy reset with iptables -L -n
Initialize built-in tables/chains if they don't exists, otherwise
simply skip.
This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Ana Rey <anarey@gmail.com>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index ca199cd2..b68b2754 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -620,11 +620,17 @@ __nft_chain_builtin_init(struct nft_handle *h, int policy) { int i, default_policy; + struct nft_chain_list *list = nft_chain_dump(h); + struct nft_chain *c; - /* Initialize all built-in chains. Exception, for e one received as - * parameter, set the default policy as requested. - */ + /* Initialize built-in chains if they don't exist yet */ for (i=0; i<NF_IP_NUMHOOKS && table->chains[i].name != NULL; i++) { + + c = nft_chain_list_find(list, table->name, + table->chains[i].name); + if (c != NULL) + continue; + if (chain && strcmp(table->chains[i].name, chain) == 0) default_policy = policy; else @@ -633,6 +639,8 @@ __nft_chain_builtin_init(struct nft_handle *h, nft_chain_builtin_add(h, table, &table->chains[i], default_policy); } + + nft_chain_list_free(list); } int |