git.ipfire.org Git - thirdparty/nftables.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 17 Aug 2025 19:01:30 +0000 (21:01 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 19 Aug 2025 12:53:57 +0000 (14:53 +0200)
commit	01277922fede9fef8aacf5cc871bfbd55bbd78ef
tree	a39a2f7f4690a0eca283141b143cdb7c2012d658	tree \| snapshot
parent	c44995e31ba60c4823bb81fecd29020452b9e702	commit \| diff

src: ensure chain policy evaluation when specified

Set on CHAIN_F_BASECHAIN when policy is specified in chain, otherwise
chain priority is not evaluated.

Toggling this flag requires needs three adjustments to work though:

1) chain_evaluate() needs skip evaluation of hook name and priority if
   not specified to allow for updating the default chain policy, e.g.

chain ip x y { policy accept; }

2) update netlink bytecode generation for chain to skip NFTA_CHAIN_HOOK
   so update path is exercised in the kernel.

3) error reporting needs to check if basechain priority and type is
   set on, otherwise skip further hints.

Fixes: acdfae9c3126 ("src: allow to specify the default policy for base chains")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

src/cmd.c		diff \| blob \| blame \| history
src/evaluate.c		diff \| blob \| blame \| history
src/mnl.c		diff \| blob \| blame \| history
src/parser_bison.y		diff \| blob \| blame \| history
tests/shell/testcases/bogons/nft-f/basechain_bad_policy	[new file with mode: 0644]	blob
tests/shell/testcases/bogons/nft-f/unexisting_chain_set_policy	[new file with mode: 0644]	blob