nft: A builtin chain might be created when restoring

nft_chain_set() is directly used in xtables-restore.c, however at that
point no builtin chains have been created yet thus the need to request
to build it relevantly.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 36ac69cc9893a941dff8b34593237e6aa429c401..501c6d861cb17196003294d9e6f6d33486da9586 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -744,6 +744,7 @@ __nft_chain_set(struct nft_handle *h, const char *table,
        }
 
        nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_NEWCHAIN, h->family,
+                                       h->restore ? NLM_F_ACK|NLM_F_CREATE :
                                        NLM_F_ACK, h->seq);
        nft_chain_nlmsg_build_payload(nlh, c);
 

diff --git a/iptables/nft.h b/iptables/nft.h
index 92488764196c4518ad5f8d33aa0a5f106c32913b..3b58d5146ee779a66843a842548d91f1754c4647 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -34,6 +34,7 @@ struct nft_handle {
        struct mnl_nlmsg_batch  *batch;
        struct nft_family_ops   *ops;
        struct builtin_table    *tables;
+       bool                    restore;
 };
 
 extern struct builtin_table xtables_ipv4[TABLES_MAX];

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 730800ff49c0c9c00c8a0a340e20376bb2c92f04..f7850bb21039b98e51c54a973ee0096e0e259898 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -170,6 +170,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[])
 {
        struct nft_handle h = {
                .family = family,
+               .restore = true,
        };
        char buffer[10240];
        int c;