From 61e85e3192deaff3b9dd1eb9270863acc7a26311 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Sat, 14 Aug 2021 19:46:43 +0200 Subject: iptables-nft: allow removal of empty builtin chains The only reason why this is prohibited is that you cannot do it in iptables-legacy. This removes the artifical limitation. "iptables-nft -X" will leave the builtin chains alone; Also, deletion is only permitted if the chain is empty. Signed-off-by: Florian Westphal --- iptables/nft-cmd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'iptables/nft-cmd.c') diff --git a/iptables/nft-cmd.c b/iptables/nft-cmd.c index 87e66905..35b39268 100644 --- a/iptables/nft-cmd.c +++ b/iptables/nft-cmd.c @@ -205,12 +205,12 @@ int nft_cmd_chain_user_add(struct nft_handle *h, const char *chain, return 1; } -int nft_cmd_chain_user_del(struct nft_handle *h, const char *chain, - const char *table, bool verbose) +int nft_cmd_chain_del(struct nft_handle *h, const char *chain, + const char *table, bool verbose) { struct nft_cmd *cmd; - cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_USER_DEL, table, chain, NULL, -1, + cmd = nft_cmd_new(h, NFT_COMPAT_CHAIN_DEL, table, chain, NULL, -1, verbose); if (!cmd) return 0; @@ -317,7 +317,7 @@ int nft_cmd_table_flush(struct nft_handle *h, const char *table, bool verbose) if (verbose) { return nft_cmd_rule_flush(h, NULL, table, verbose) && - nft_cmd_chain_user_del(h, NULL, table, verbose); + nft_cmd_chain_del(h, NULL, table, verbose); } cmd = nft_cmd_new(h, NFT_COMPAT_TABLE_FLUSH, table, NULL, NULL, -1, -- cgit v1.2.3