iptables-nft: fix basechain policy configuration

Previous to this patch, the basechain policy could not be properly
configured if it wasn't explictly set when loading the ruleset, leading
to iptables-nft-restore (and ip6tables-nft-restore) trying to send an
invalid ruleset to the kernel.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 3958bba25519f1a329d1a118e3a2248e81d6e88d..ccbbccb59ed96833911a4ad54ed4134588ed632e 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -679,7 +679,9 @@ nft_chain_builtin_alloc(const struct builtin_table *table,
        nftnl_chain_set_str(c, NFTNL_CHAIN_NAME, chain->name);
        nftnl_chain_set_u32(c, NFTNL_CHAIN_HOOKNUM, chain->hook);
        nftnl_chain_set_u32(c, NFTNL_CHAIN_PRIO, chain->prio);
-       nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+       if (policy >= 0)
+               nftnl_chain_set_u32(c, NFTNL_CHAIN_POLICY, policy);
+
        nftnl_chain_set_str(c, NFTNL_CHAIN_TYPE, chain->type);
 
        return c;
@@ -911,6 +913,8 @@ int nft_chain_set(struct nft_handle *h, const char *table,
                c = nft_chain_new(h, table, chain, NF_DROP, counters);
        else if (strcmp(policy, "ACCEPT") == 0)
                c = nft_chain_new(h, table, chain, NF_ACCEPT, counters);
+       else if (strcmp(policy, "-") == 0)
+               c = nft_chain_new(h, table, chain, -1, counters);
        else
                errno = EINVAL;
 

diff --git a/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0 b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
new file mode 100755 (executable)
index 0000000..a81e9ba
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0008-basechain-policy_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+set -e
+
+$XT_MULTI iptables -t raw -P OUTPUT DROP
+
+# make sure iptables-nft-restore can correctly handle basechain policies when
+# they aren't set with --noflush
+#
+$XT_MULTI iptables-restore --noflush <<EOF
+*raw
+:OUTPUT - [0:0]
+:PREROUTING - [0:0]
+:neutron-linuxbri-OUTPUT - [0:0]
+:neutron-linuxbri-PREROUTING - [0:0]
+-I OUTPUT 1 -j neutron-linuxbri-OUTPUT
+-I PREROUTING 1 -j neutron-linuxbri-PREROUTING
+-I neutron-linuxbri-PREROUTING 1 -m physdev --physdev-in brq7425e328-56 -j CT --zone 4097
+-I neutron-linuxbri-PREROUTING 2 -i brq7425e328-56 -j CT --zone 4097
+-I neutron-linuxbri-PREROUTING 3 -m physdev --physdev-in tap7f101a28-1d -j CT --zone 4097
+
+COMMIT
+EOF
+
+$XT_MULTI iptables-save | grep -C2 raw | grep OUTPUT | grep DROP
+if [ $? -ne 0 ]; then
+       exit 1
+fi