*filter
:INPUT DROP [32:4052]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT
COMMIT
will be restored with ACCEPT policies. When
-A OUTPUT is processed, the OUTPUT chain isn't found in the chain cache,
so the table is re-created with ACCEPT policies, which overrides the
earlier DROP policies.
A better fix would be to add the policy setting to the chain cache
but it seems we'll need a chain abstraction with refcounting first.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
return ret == 0 ? 1 : 0;
}
+void nft_table_new(struct nft_handle *h, const char *table)
+{
+ if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0)
+ nft_xt_builtin_init(h, table);
+}
+
static int __nft_rule_del(struct nft_handle *h, struct nftnl_rule_list *list,
struct nftnl_rule *r)
{
bool nft_table_find(struct nft_handle *h, const char *tablename);
int nft_table_purge_chains(struct nft_handle *h, const char *table, struct nftnl_chain_list *list);
int nft_table_flush(struct nft_handle *h, const char *table);
+void nft_table_new(struct nft_handle *h, const char *table);
/*
* Operations with chains.
.chain_list = get_chain_list,
.commit = nft_commit,
.abort = nft_abort,
+ .table_new = nft_table_new,
.table_flush = nft_table_flush,
.chain_user_flush = nft_chain_user_flush,
.chain_del = chain_delete,
projects / thirdparty / iptables.git / commitdiff
