45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From 8be561d26931832f000526cc41293700faa6c877 Mon Sep 17 00:00:00 2001
|
|
From: Eric Garver <eric@garver.life>
|
|
Date: Mon, 14 Aug 2023 09:13:29 -0400
|
|
Subject: [PATCH] chore(nftables): add delete table helper
|
|
|
|
This is to workaround an nftables issue where using the "delete" verb on
|
|
a table that does not exist will throw ENOENT. We can't use the newer
|
|
"destroy" verb because it's too new to rely upon.
|
|
|
|
A simple hack is to always add the table before deleting it. The "add"
|
|
is ignored if the table already exists.
|
|
|
|
Conflict: NA
|
|
Reference: https://github.com/firewalld/firewalld/commit/8be561d26931832f000526cc41293700faa6c877
|
|
|
|
---
|
|
src/firewall/core/nftables.py | 11 +++++++++++
|
|
1 file changed, 11 insertions(+)
|
|
|
|
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
index f269afa9..ce8cb5e7 100644
|
|
--- a/src/firewall/core/nftables.py
|
|
+++ b/src/firewall/core/nftables.py
|
|
@@ -383,6 +383,17 @@ class nftables:
|
|
# Tables always exist in nftables
|
|
return [table] if table else IPTABLES_TO_NFT_HOOK.keys()
|
|
|
|
+ def _build_delete_table_rules(self, table):
|
|
+ # To avoid nftables returning ENOENT we always add the table before
|
|
+ # deleting to guarantee it will exist.
|
|
+ #
|
|
+ # In the future, this add+delete should be replaced with "destroy", but
|
|
+ # that verb is too new to rely upon.
|
|
+ return [{"add": {"table": {"family": "inet",
|
|
+ "name": table}}},
|
|
+ {"delete": {"table": {"family": "inet",
|
|
+ "name": table}}}]
|
|
+
|
|
def build_flush_rules(self):
|
|
# Policy is stashed in a separate table that we're _not_ going to
|
|
# flush. As such, we retain the policy rule handles and ref counts.
|
|
--
|
|
2.33.0
|
|
|