Phil Sutter <phil@xxxxxx> wrote: > Attempting to delete all chains if --delete-chain is called without > argument has unwanted side-effects especially legacy iptables users are > not aware of and won't expect: > > * Non-default policies are ignored, a previously dropping firewall may > start accepting traffic. > > * The kernel refuses to remove non-empty chains, causing program abort > even if no user-defined chain exists. > > Fix this by requiring a rule cache in that situation and make builtin > chain deletion depend on its policy and number of rules. Since this may > change concurrently, check again when having to refresh the transaction. > > Also, hide builtin chains from verbose output - their creation is > implicit, so treat their removal as implicit, too. > > When deleting a specific chain, do not allow to skip the job though. > Otherwise deleting a builtin chain which is still in use will succeed > although not executed. Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
