diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-04 11:25:00 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-05-05 10:05:44 +0200 |
commit | 09f0d47b213de944303a320a70bf57e143bfed62 (patch) | |
tree | ef510269f7c362031464ca8779f5cd94e0a9a9d0 /iptables/nft.c | |
parent | 8798eb8f48434b1a764788c8a0c133a983bc39e6 (diff) |
iptables-compat: do not fail on restore if user chain exists
The following snippet fails if user chain FOO exists, but it should not fail:
iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index bff73e76..271269f9 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -262,6 +262,7 @@ enum obj_update_type { NFT_COMPAT_RULE_REPLACE, NFT_COMPAT_RULE_DELETE, NFT_COMPAT_RULE_FLUSH, + NFT_COMPAT_TABLE_FLUSH, }; enum obj_action { @@ -1289,6 +1290,27 @@ next: return 1; } +int nft_table_flush(struct nft_handle *h, const char *table) +{ + struct nftnl_table *r; + int ret = 0; + + nft_fn = nft_table_flush; + + r = nftnl_table_alloc(); + if (r == NULL) { + ret = -1; + goto err; + } + + nftnl_table_set_str(r, NFTNL_TABLE_NAME, table); + + batch_table_add(h, NFT_COMPAT_TABLE_FLUSH, r); +err: + /* the core expects 1 for success and 0 for error */ + return ret == 0 ? 1 : 0; +} + static void __nft_rule_flush(struct nft_handle *h, const char *table, const char *chain) { @@ -2300,6 +2322,11 @@ static int nft_action(struct nft_handle *h, int action) nft_compat_rule_batch_add(h, NFT_MSG_DELRULE, 0, seq++, n->rule); break; + case NFT_COMPAT_TABLE_FLUSH: + nft_compat_table_batch_add(h, NFT_MSG_DELTABLE, + 0, + seq++, n->table); + break; } h->obj_list_num--; |