2014-10-23 13:18 GMT+02:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> Initialize built-in tables/chains if they don't exists, otherwise
> simply skip.
>
> This avoids the chain policy reset to NF_ACCEPT by when you call
> iptables -L -n.
>
> Reported-by: Ana Rey <anarey@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Tested-by: Ana Rey <anarey@xxxxxxxxx>
> ---
> iptables/nft.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/iptables/nft.c b/iptables/nft.c
> index ca199cd..b68b275 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -620,11 +620,17 @@ __nft_chain_builtin_init(struct nft_handle *h,
> int policy)
> {
> int i, default_policy;
> + struct nft_chain_list *list = nft_chain_dump(h);
> + struct nft_chain *c;
>
> - /* Initialize all built-in chains. Exception, for e one received as
> - * parameter, set the default policy as requested.
> - */
> + /* Initialize built-in chains if they don't exist yet */
> for (i=0; i<NF_IP_NUMHOOKS && table->chains[i].name != NULL; i++) {
> +
> + c = nft_chain_list_find(list, table->name,
> + table->chains[i].name);
> + if (c != NULL)
> + continue;
> +
> if (chain && strcmp(table->chains[i].name, chain) == 0)
> default_policy = policy;
> else
> @@ -633,6 +639,8 @@ __nft_chain_builtin_init(struct nft_handle *h,
> nft_chain_builtin_add(h, table, &table->chains[i],
> default_policy);
> }
> +
> + nft_chain_list_free(list);
> }
>
> int
> --
> 1.7.10.4
>
--
Ana Rey (@anaRB)
http://about.me/anarey
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
