iptables-compat: fix chain policy reset with iptables -L -n

Initialize built-in tables/chains if they don't exists, otherwise
simply skip.

This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.

Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Ana Rey <anarey@gmail.com>

diff --git a/iptables/nft.c b/iptables/nft.c
index ca199cd2b16194256966c4f8ecfa6766419bdc27..b68b275439707a4cf09e9205c7f26f0e7cbb10db 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -620,11 +620,17 @@ __nft_chain_builtin_init(struct nft_handle *h,
                         int policy)
 {
        int i, default_policy;
+       struct nft_chain_list *list = nft_chain_dump(h);
+       struct nft_chain *c;
 
-       /* Initialize all built-in chains. Exception, for e one received as
-        * parameter, set the default policy as requested.
-        */
+       /* Initialize built-in chains if they don't exist yet */
        for (i=0; i<NF_IP_NUMHOOKS && table->chains[i].name != NULL; i++) {
+
+               c = nft_chain_list_find(list, table->name,
+                                       table->chains[i].name);
+               if (c != NULL)
+                       continue;
+
                if (chain && strcmp(table->chains[i].name, chain) == 0)
                        default_policy = policy;
                else
@@ -633,6 +639,8 @@ __nft_chain_builtin_init(struct nft_handle *h,
                nft_chain_builtin_add(h, table, &table->chains[i],
                                        default_policy);
        }
+
+       nft_chain_list_free(list);
 }
 
 int