With my fix for flushing non-existent chains I inadvertently turned chain flushes into nops and broke iptables-restore with input containing a flush early before other commands. The shell testsuite clearly identified all these issues, but I had tested only the problem case. This is fixed by patch 2 with patch 1 as basic work. Patches 3-7 fix other issues I stumbled upon when working on some approach for forward-compatibility. The remaining patches are not strictly fixes but trivial enough to just go along with the rest. Phil Sutter (14): nft: cache: Annotate faked base chains as such nft: Fix for zeroing existent builtin chains extensions: recent: Fix format string for unsigned values extensions: conntrack: Use the right callbacks nft: cmd: Init struct nft_cmd::head early nft: Add potentially missing init_cs calls arptables: Fix conditional opcode/proto-type printing xshared: Do not omit all-wildcard interface spec when inverted extensions: conntrack: Reuse print_state() for old state match xshared: Make save_iface() static xshared: Move NULL pointer check into save_iface() libxtables: Debug: Slightly improve extension ordering debugging arptables: Introduce print_iface() ebtables: Omit all-wildcard interface specs from output extensions/iptables.t | 2 ++ extensions/libarpt_standard.t | 2 ++ extensions/libebt_standard.t | 2 ++ extensions/libxt_conntrack.c | 46 ++++++-------------------- extensions/libxt_recent.c | 12 ++++--- iptables/nft-arp.c | 61 +++++++++++++---------------------- iptables/nft-bridge.c | 2 +- iptables/nft-cache.c | 6 ++-- iptables/nft-cache.h | 2 +- iptables/nft-chain.c | 3 +- iptables/nft-chain.h | 3 +- iptables/nft-cmd.c | 1 + iptables/nft.c | 44 ++++++++++++++++++------- iptables/xshared.c | 16 +++------ iptables/xshared.h | 1 - libxtables/xtables.c | 20 +++++++++--- 16 files changed, 109 insertions(+), 114 deletions(-) -- 2.43.0
