With iptables-nft-restore in --noflush mode, the created batch job list may need to be adjusted to a changing ruleset in kernel. In particular, an input line like ':FOO - [0:0]' either means "flush chain FOO" or "create chain FOO" depending on whether it exists already or not. Patch 3 contains a test case provoking this peculiar situation and fixes the transaction prepare and refresh logic in that case. Patch 1 is a simple preparation change, patch 2 a somewhat related fix for error reporting with refreshed transactions. Phil Sutter (3): nft: Make batch_add_chain() return the added batch object nft: Fix error reporting for refreshed transactions nft: Fix for concurrent noflush restore calls iptables/nft.c | 96 ++++++++++--------- .../ipt-restore/0016-concurrent-restores_0 | 53 ++++++++++ 2 files changed, 102 insertions(+), 47 deletions(-) create mode 100755 iptables/tests/shell/testcases/ipt-restore/0016-concurrent-restores_0 -- 2.28.0
