netfilter buglog - Apr 2018 - [Bug 1242] New: noflush actually flushes in case of custom chain

https://bugzilla.netfilter.org/show_bug.cgi?id=1242

            Bug ID: 1242
           Summary: noflush actually flushes in case of custom chain
           Product: iptables
           Version: unspecified
          Hardware: All
                OS: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: iptables-restore
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: assafcw at gmail.com

Caught while trying to restore iptables with docker chains using:

iptables-restore -n -c MYFILE

The file might look like
*nat
:DOCKER
COMMIT

where the DOCKER chain already has rules in it, when restored - will be
flushed.

while in case of builtin chains - will not flush and duplicate the entry.
For instance:
*nat
-I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
COMMIT

I believe the bug is in
iptables-restore.c
line 369

                if (noflush && ops->is_chain(chain, handle)) {
                    DEBUGP("Flushing existing user defined chain
'%s'\n",
chain);
                    if (!ops->flush_entries(chain, handle))
                        xtables_error(PARAMETER_PROBLEM,
                               "error flushing chain "
                               "'%s':%s\n", chain,
                               strerror(errno));

where it should be if(!noflush %% ops->...

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180409/bb45b13e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1242

Shaun Crampton <shaun at tigera.io> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |shaun at tigera.io

--- Comment #1 from Shaun Crampton <shaun at tigera.io> ---
I work on the project Calico network policy engine; we rely on the current
behaviour. Please give me a heads up if the behaviour is going to be changed to
allow for ":chain" lines that don't flush the chain.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190704/74a73153/attachment.html>