From: Phil Sutter <phil@nwl.cc>
Date: Thu, 28 Aug 2025 16:01:29 +0000 (+0200)
Subject: mnl: Allow for updating devices on existing inet ingress hook chains
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2214a4836bc7c906dd1d16a21a59b9d9240af7b7;p=thirdparty%2Fnftables.git

mnl: Allow for updating devices on existing inet ingress hook chains

Complete commit a66b5ad9540dd ("src: allow for updating devices on
existing netdev chain") in supporting inet family ingress hook chains as
well. The kernel does already but nft has to add a proper hooknum
attribute to pass the checks.

Calling chain_evaluate() for populating the hook.num field is a bit over
the top and has potentially unwanted side-effects. Introduce a minimal
chain_del_evaluate() for this purpose.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/src/evaluate.c b/src/evaluate.c
index b7e4f71f..8cecbe09 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -5992,6 +5992,22 @@ static void chain_del_cache(struct eval_ctx *ctx, struct cmd *cmd)
 	chain_free(chain);
 }
 
+static int chain_del_evaluate(struct eval_ctx *ctx, struct cmd *cmd)
+{
+	struct chain *chain = cmd->chain;
+
+	if (chain && chain->flags & CHAIN_F_BASECHAIN && chain->hook.name) {
+		chain->hook.num = str2hooknum(chain->handle.family,
+					      chain->hook.name);
+		if (chain->hook.num == NF_INET_NUMHOOKS)
+			return __stmt_binary_error(ctx, &chain->hook.loc, NULL,
+						   "The %s family does not support this hook",
+						   family2str(chain->handle.family));
+	}
+	chain_del_cache(ctx, cmd);
+	return 0;
+}
+
 static void set_del_cache(struct eval_ctx *ctx, struct cmd *cmd)
 {
 	struct table *table;
@@ -6069,8 +6085,7 @@ static int cmd_evaluate_delete(struct eval_ctx *ctx, struct cmd *cmd)
 	case CMD_OBJ_RULE:
 		return 0;
 	case CMD_OBJ_CHAIN:
-		chain_del_cache(ctx, cmd);
-		return 0;
+		return chain_del_evaluate(ctx, cmd);
 	case CMD_OBJ_TABLE:
 		table_del_cache(ctx, cmd);
 		return 0;
diff --git a/src/mnl.c b/src/mnl.c
index 984dcac2..d1402c0f 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -994,6 +994,8 @@ int mnl_nft_chain_del(struct netlink_ctx *ctx, struct cmd *cmd)
 		struct nlattr *nest;
 
 		nest = mnl_attr_nest_start(nlh, NFTA_CHAIN_HOOK);
+		mnl_attr_put_u32(nlh, NFTA_HOOK_HOOKNUM,
+				 htonl(cmd->chain->hook.num));
 		mnl_nft_chain_devs_build(nlh, cmd);
 		mnl_attr_nest_end(nlh, nest);
 	}