Re: [iptables PATCH 4/4] nft: Delete builtin chains compatibly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Phil Sutter <phil@xxxxxx> wrote:
> Attempting to delete all chains if --delete-chain is called without
> argument has unwanted side-effects especially legacy iptables users are
> not aware of and won't expect:
> 
> * Non-default policies are ignored, a previously dropping firewall may
>   start accepting traffic.
> 
> * The kernel refuses to remove non-empty chains, causing program abort
>   even if no user-defined chain exists.
> 
> Fix this by requiring a rule cache in that situation and make builtin
> chain deletion depend on its policy and number of rules. Since this may
> change concurrently, check again when having to refresh the transaction.
> 
> Also, hide builtin chains from verbose output - their creation is
> implicit, so treat their removal as implicit, too.
> 
> When deleting a specific chain, do not allow to skip the job though.
> Otherwise deleting a builtin chain which is still in use will succeed
> although not executed.

Reviewed-by: Florian Westphal <fw@xxxxxxxxx>



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux