From df3d92bec600720b2fb50470212ed7cd1ef00c36 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 7 May 2018 15:32:33 +0200 Subject: xtables-compat-restore: flush user-defined chains with -n -n still flushes user-defined chains and its content, the following snippet: iptables-compat -N FOO iptables-compat -I INPUT iptables-compat -I FOO iptables-compat -I FOO iptables-compat-save > A iptables-compat-restore < A iptables-compat -N BAR iptables-compat -A BAR iptables-compat-restore -n < A results in: iptables-compat-save # Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :BAR - [0:0] :FOO - [0:0] -A INPUT -A INPUT -A BAR -A FOO -A FOO COMMIT # Completed on Mon May 7 17:18:44 2018 Still, user-defined chains that are not re-defined, such as BAR, are left in place. Reported-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- iptables/nft-shared.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'iptables/nft-shared.h') diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 56b270e5..34027af9 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -248,6 +248,9 @@ struct nft_xt_restore_cb { struct nftnl_chain_list *(*chain_list)(struct nft_handle *h); void (*chain_del)(struct nftnl_chain_list *clist, const char *curtable, const char *chain); + int (*chain_user_flush)(struct nft_handle *h, + struct nftnl_chain_list *clist, + const char *table, const char *chain); int (*chain_set)(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters); -- cgit v1.2.3