From de3c68b626cce37b3b2a41e06af9f7242b25f2a8 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 11 Oct 2017 00:19:27 +0200
Subject: iptables-compat: do not allow to delete populated user define chains

If user chain contains rules, flush needs to happen first to retain
iptables semantics. Use NLM_F_NONREC to request non-recursive chain
deletion.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 76e45466..91381419 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1455,13 +1455,18 @@ int nft_chain_user_add(struct nft_handle *h, const char *chain, const char *tabl
 	return ret == 0 ? 1 : 0;
 }
 
+/* From linux/netlink.h */
+#ifndef NLM_F_NONREC
+#define NLM_F_NONREC	0x100	/* Do not delete recursively    */
+#endif
+
 static int __nft_chain_del(struct nft_handle *h, struct nftnl_chain *c)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
 
 	nlh = nftnl_chain_nlmsg_build_hdr(buf, NFT_MSG_DELCHAIN, h->family,
-					NLM_F_ACK, h->seq);
+					  NLM_F_NONREC | NLM_F_ACK, h->seq);
 	nftnl_chain_nlmsg_build_payload(nlh, c);
 
 	return mnl_talk(h, nlh, NULL, NULL);
@@ -2349,7 +2354,8 @@ static int nft_action(struct nft_handle *h, int action)
 			break;
 		case NFT_COMPAT_CHAIN_USER_DEL:
 			nft_compat_chain_batch_add(h, NFT_MSG_DELCHAIN,
-						   0, seq++, n->chain);
+						   NLM_F_NONREC, seq++,
+						   n->chain);
 			break;
 		case NFT_COMPAT_CHAIN_UPDATE:
 			nft_compat_chain_batch_add(h, NFT_MSG_NEWCHAIN,
-- 
cgit v1.2.3