xtables: policy can be changed only on builtin chain

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 7e1b47bc1efaa0085e8805d0240650d4f285ead4..54951154f6880ec631ec0952301663df22bd3b33 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -503,16 +503,9 @@ __nft_chain_set(struct nft_handle *h, const char *table,
                c = nft_chain_builtin_alloc(_t, _c, policy);
                if (c == NULL)
                        return -1;
-
        } else {
-               /* This is a custom chain */
-               c = nft_chain_alloc();
-               if (c == NULL)
-                       return -1;
-
-               nft_chain_attr_set(c, NFT_CHAIN_ATTR_TABLE, (char *)table);
-               nft_chain_attr_set(c, NFT_CHAIN_ATTR_NAME, (char *)chain);
-               nft_chain_attr_set_u32(c, NFT_CHAIN_ATTR_POLICY, policy);
+               errno = ENOENT;
+               return -1;
        }
 
        if (counters) {