On Wed, May 15, 2013 at 09:08:27AM +0300, Tomasz Bursztyka wrote: [...] > >The kernel will ignore the name if the handle is set. So no need to > >make this artificial restriction in user-space. > > No this not the case, have a look at net/netfilter/nf_tables_api.c > in nf_tables_newchain(), lines 858-860: > > if (nla[NFTA_CHAIN_HANDLE] && name && > !IS_ERR(nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME]))) > return -EEXIST; > > When handle and name are both present it means user wants to change > the chain's name. (see line 882) > But in our case, when changing only the policy we don't touch the > name, but libnftables provides it anyway thus failing on that > test.|||| But the handle number is built into the netlink message if the client sets the NFT_CHAIN_ATTR_HANDLE. Looking at iptables-nftables, that only happens in nft_chain_user_rename. This seems to me like the client needs to be fixed not to set both attributes at the same time (unless it wants a chain rename). Where are you hitting this? > My patch is bogus anyway: I should add a marker that name has been > changed first (and if only it was really different), and then handle > it when building the message. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
