On Sun, Mar 18, 2018 at 07:22:39PM +0100, Florian Westphal wrote: > Sergei Trofimovich reported that restoring an nft ruleset doesn't work > anymore unless old rule content is flushed first. > > The problem stems from a recent change designed to prevent multiple nat > hooks at the same hook point locations and nftables transaction model. > > A 'flush ruleset' won't take effect until the entire transaction has > completed. > > So, if one has a nft.rules file that contains a 'flush ruleset', > followed by a nat hook register request, then 'nft -f file' will work, > but running 'nft -f file' again will fail with -EBUSY. > > Reason is that nftables will place the flush/removal requests in the > transaction list, but it will not act on the removal until after all new > rules are in place. > > The netfilter core will therefore get request to register a new nat > hook before the old one is removed -- this now fails as the netfilter > core can't know the existing hook is staged for removal. > > To fix this, we can search the transaction log when a hook collision > is detected. The collision is okay if > > 1. there is a delete request pending for the nat hook that is already > registered. > 2. there is no second add request for a matching nat hook. > This is required to only apply the exception once. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
