[Bug 1242] New: noflush actually flushes in case of custom chain

Mon Apr 9 12:54:32 CEST 2018

https://bugzilla.netfilter.org/show_bug.cgi?id=1242

            Bug ID: 1242
           Summary: noflush actually flushes in case of custom chain
           Product: iptables
           Version: unspecified
          Hardware: All
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables-restore
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: assafcw at gmail.com

Caught while trying to restore iptables with docker chains using:

iptables-restore -n -c MYFILE

The file might look like
*nat
:DOCKER
COMMIT

where the DOCKER chain already has rules in it, when restored - will be
flushed.

while in case of builtin chains - will not flush and duplicate the entry.
For instance:
*nat
-I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
COMMIT

I believe the bug is in
iptables-restore.c
line 369

                if (noflush && ops->is_chain(chain, handle)) {
                    DEBUGP("Flushing existing user defined chain '%s'\n",
chain);
                    if (!ops->flush_entries(chain, handle))
                        xtables_error(PARAMETER_PROBLEM,
                               "error flushing chain "
                               "'%s':%s\n", chain,
                               strerror(errno));

where it should be if(!noflush %% ops->...

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180409/bb45b13e/attachment.html>