From df3d92bec600720b2fb50470212ed7cd1ef00c36 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 7 May 2018 15:32:33 +0200 Subject: xtables-compat-restore: flush user-defined chains with -n -n still flushes user-defined chains and its content, the following snippet: iptables-compat -N FOO iptables-compat -I INPUT iptables-compat -I FOO iptables-compat -I FOO iptables-compat-save > A iptables-compat-restore < A iptables-compat -N BAR iptables-compat -A BAR iptables-compat-restore -n < A results in: iptables-compat-save # Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :BAR - [0:0] :FOO - [0:0] -A INPUT -A INPUT -A BAR -A FOO -A FOO COMMIT # Completed on Mon May 7 17:18:44 2018 Still, user-defined chains that are not re-defined, such as BAR, are left in place. Reported-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- iptables/xtables-restore.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'iptables/xtables-restore.c') diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index 6e7652ff..ac753c43 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -196,6 +196,7 @@ struct nft_xt_restore_cb restore_cb = { .commit = nft_commit, .abort = nft_abort, .table_flush = nft_table_flush, + .chain_user_flush = nft_chain_user_flush, .chain_del = chain_delete, .do_command = do_commandx, .chain_set = nft_chain_set, @@ -294,8 +295,19 @@ void xtables_restore_parse(struct nft_handle *h, exit(1); } - if (cb->chain_del) - cb->chain_del(chain_list, curtable, chain); + if (noflush == 0) { + if (cb->chain_del) + cb->chain_del(chain_list, curtable, + chain); + } else { + /* Apparently -n still flushes existing user + * defined chains that are redefined. Otherwise, + * leave them as is. + */ + if (cb->chain_user_flush) + cb->chain_user_flush(h, chain_list, + curtable, chain); + } if (strlen(chain) >= XT_EXTENSION_MAXNAMELEN) xtables_error(PARAMETER_PROBLEM, -- cgit v1.2.3