This still does not work, still searching for more bugs here.
Patch 1) Remove skip logic from __nft_table_flush(), before we
hit ERESTART. Better do not preventively skip table flush.
Patch 2) Keeps the original cache, while we introduce a new cache
that is used when we hit ERESTART.
Patch 3) Remove NFT_COMPAT_TABLE_ADD case from refresh transaction,
I don't find a scenario for this.
Patch 4) Reevaluate based on the existing cache, not on the previous
object state. Original commit doesn't mention, but
NFT_COMPAT_CHAIN_USER_ADD only makes sense to me to do
the special handling from h->noflush.
I can still see the test still fails most of the time with:
line 5: CHAIN_USER_ADD failed (File exists): chain UC-0
which should not happen if table exists, because a flush should have
happened before.
Pablo Neira Ayuso (4):
nft: don't check for table existence from __nft_table_flush()
nft: keep original cache in case of ERESTART
nft: don't skip table addition from ERESTART
nft: don't care about previous state in RESTART
iptables/nft.c | 77 +++++++++++++++++++++++++++++++---------------------------
iptables/nft.h | 3 ++-
2 files changed, 43 insertions(+), 37 deletions(-)
--
2.11.0
