From 5fd85822bd12a02f1a921243f605fc6238d705b4 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Feb 2023 18:09:25 +0100
Subject: nft-restore: Fix for deletion of new, referenced rule

Combining multiple corner-cases here:

* Insert a rule before another new one which is not the first. Triggers
  NFTNL_RULE_ID assignment of the latter.

* Delete the referenced new rule in the same batch again. Causes
  overwriting of the previously assigned RULE_ID.

Consequently, iptables-nft-restore fails during *insert*, because the
reference is dangling.

Reported-by: Eric Garver <eric@garver.life>
Fixes: 760b35b46e4cc ("nft: Fix for add and delete of same rule in single batch")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Tested-by: Eric Garver <eric@garver.life>
---
 .../shell/testcases/ipt-restore/0003-restore-ordering_0  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0')

diff --git a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
index 3f1d229e..5482b7ea 100755
--- a/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
+++ b/iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0
@@ -123,3 +123,19 @@ EXPECT='-A FORWARD -m comment --comment "rule 1" -j ACCEPT
 -A FORWARD -m comment --comment "rule 3" -j ACCEPT'
 
 diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
+
+# test adding, referencing and deleting the same rule in a batch
+
+$XT_MULTI iptables-restore <<EOF
+*filter
+-A FORWARD -m comment --comment "first rule" -j ACCEPT
+-A FORWARD -m comment --comment "referenced rule" -j ACCEPT
+-I FORWARD 2 -m comment --comment "referencing rule" -j ACCEPT
+-D FORWARD -m comment --comment "referenced rule" -j ACCEPT
+COMMIT
+EOF
+
+EXPECT='-A FORWARD -m comment --comment "first rule" -j ACCEPT
+-A FORWARD -m comment --comment "referencing rule" -j ACCEPT'
+
+diff -u -Z <(echo -e "$EXPECT") <(ipt_show)
-- 
cgit v1.2.3