This is a combined series of fixes and improvements: * Patch 1 fixes a double free happening if the ruleset contains more than one base-chains for a given hook. * Patch 2 improves iptables-nft behaviour in above case, allowing to continue even if there is a base chain which doesn't fit. Since iptables-nft doesn't fetch the full ruleset from kernel in all cases anymore, it is prone to miss offending ruleset parts, anyway. * Patch 4 tries to avoid the negative side-effects that came with Florian's patch allowing to delete base-chains. * Patch 3 adds a bit of convenience used by patch 4. Phil Sutter (4): nft: cache: Avoid double free of unrecognized base-chains nft: Check base-chain compatibility when adding to cache nft-chain: Introduce base_slot field nft: Delete builtin chains compatibly iptables/nft-cache.c | 52 +++++--- iptables/nft-chain.h | 1 + iptables/nft-cmd.c | 2 +- iptables/nft.c | 112 +++++++----------- iptables/nft.h | 2 + .../shell/testcases/chain/0004extra-base_0 | 37 ++++++ .../shell/testcases/chain/0005base-delete_0 | 34 ++++++ iptables/xtables-save.c | 3 + 8 files changed, 161 insertions(+), 82 deletions(-) create mode 100755 iptables/tests/shell/testcases/chain/0004extra-base_0 create mode 100755 iptables/tests/shell/testcases/chain/0005base-delete_0 -- 2.33.0
