]> git.ipfire.org Git - thirdparty/iptables.git/commitdiff
projects / thirdparty / iptables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ce0f774)
nft: don't care about previous state in ERESTART
authorPablo Neira Ayuso <pablo@netfilter.org>
Mon, 20 May 2019 14:10:06 +0000 (16:10 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 20 May 2019 18:58:57 +0000 (20:58 +0200)
We need to re-evalute based on the existing cache generation.

Fixes: 58d7de0181f6 ("xtables: handle concurrent ruleset modifications")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables/nft.c patch | blob | blame | history

diff --git a/iptables/nft.c b/iptables/nft.c
index 43b9153c2d58abbcb332a0ce956b169672fe9105..f6d4070298921aa6a379c9edfe335e12bb93420d 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2789,9 +2789,9 @@ static void nft_refresh_transaction(struct nft_handle *h)
                        if (!tablename)
                                continue;
                        exists = nft_table_find(h, tablename);
-                       if (n->skip && exists)
+                       if (exists)
                                n->skip = 0;
-                       else if (!n->skip && !exists)
+                       else
                                n->skip = 1;
                        break;
                case NFT_COMPAT_CHAIN_USER_ADD:
@@ -2803,13 +2803,16 @@ static void nft_refresh_transaction(struct nft_handle *h)
                        if (!chainname)
                                continue;
 
+                       if (!h->noflush)
+                               break;
+
                        c = nft_chain_find(h, tablename, chainname);
-                       if (c && !n->skip) {
+                       if (c) {
                                /* -restore -n flushes existing rules from redefined user-chain */
-                               if (h->noflush)
-                                       __nft_rule_flush(h, tablename,
-                                                        chainname, false, true);
-                       } else if (!c && n->skip) {
+                               __nft_rule_flush(h, tablename,
+                                                chainname, false, true);
+                               n->skip = 1;
+                       } else if (!c) {
                                n->skip = 0;
                        }
                        break;
Mirror of git://git.netfilter.org/iptables