rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
iptables/0008-nft-Fix-for-zeroing-existent-builtin-chains.patch
Phil Sutter 6eebdb8221 iptables-1.8.10-5.el9 
* Wed Aug 14 2024 Phil Sutter <psutter@redhat.com> [1.8.10-5.el9]
- xtables-monitor: Ignore ebtables policy rules unless tracing (Phil Sutter) [RHEL-47264]
- xtables-monitor: Fix for ebtables rule events (Phil Sutter) [RHEL-47264]
- tests: shell: New xtables-monitor test (Phil Sutter) [RHEL-47264]
- xtables-monitor: Support arptables chain events (Phil Sutter) [RHEL-47264]
- xtables-monitor: Align builtin chain and table output (Phil Sutter) [RHEL-47264]
- xtables-monitor: Flush stdout after all lines of output (Phil Sutter) [RHEL-47264]
- xtables-monitor: Proper re-init for rule's family (Phil Sutter) [RHEL-47264]
- nft: Fix for zeroing existent builtin chains (Phil Sutter) [RHEL-49497]
- nft: cache: Annotate faked base chains as such (Phil Sutter) [RHEL-49497]
- nft: Fix for zeroing non-existent builtin chains (Phil Sutter) [RHEL-49497]
Resolves: RHEL-47264, RHEL-49497
2024-08-14 16:11:43 +02:00

47 lines
1.6 KiB
Diff
Raw Permalink Blame History

From 5766ffbf98583fcc50f3607850d63bb0e87d4abe Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Wed, 14 Aug 2024 14:23:33 +0200
Subject: [PATCH] nft: Fix for zeroing existent builtin chains
JIRA: https://issues.redhat.com/browse/RHEL-49497
Upstream Status: iptables commit 6a2aeda7585e07c0fcccb0c788299ab5a6a85881
commit 6a2aeda7585e07c0fcccb0c788299ab5a6a85881
Author: Phil Sutter <phil@nwl.cc>
Date: Sat Jul 27 16:04:31 2024 +0200
nft: Fix for zeroing existent builtin chains
Previous attempt at fixing for non-existent chains actually broke
functionality by adding a check for NFTNL_CHAIN_HANDLE right after
unsetting the attribute.
The approach was flawed for another reason, too: Base chains added in
the same batch (cf. iptables-restore) have no handle either but zeroing
them may still be sensible.
Instead, make use of the new fake chain annotation which identifies
fakes more reliably.
Fixes: f462975fb8049 ("nft: Fix for zeroing non-existent builtin chains")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index aa4b3f2..ad4c866 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3784,7 +3784,7 @@ static int __nft_chain_zero_counters(struct nft_chain *nc, void *data)
if (!o)
return -1;
/* may skip if it is a fake entry */
- o->skip = !nftnl_chain_is_set(c, NFTNL_CHAIN_HANDLE);
+ o->skip = nc->fake;
}
iter = nftnl_rule_iter_create(c);
Reference in New Issue View Git Blame Copy Permalink