From 3a80ac63557c83001fa9f9bd271d16efa45e9327 Mon Sep 17 00:00:00 2001
From: Alex Hermann <alex@hexla.nl>
Date: Mon, 29 Jan 2024 16:18:25 +0100
Subject: [PATCH] MT#55283 Do not remove jumps to custom chain if base chain is
 "none"

If base chain is "none", the admin is responsible for jumping into the
custom chain. Don't remove jumps the admin migth have setup.

closes #1787

Change-Id: I9980acb12fb1abb0883b22aceab2719087768763
(cherry picked from commit 4cf8be08e30ad05735a9200026125289e40532c6)
---
 daemon/nftables.c | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/daemon/nftables.c b/daemon/nftables.c
index 8630ff109..9f3baf99a 100644
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@@ -531,27 +531,31 @@ static const char *delete_chain(struct mnl_socket *nl, int family, uint32_t *seq
 static const char *nftables_shutdown_family(struct mnl_socket *nl, int family, uint32_t *seq,
 		const char *chain, const char *base_chain, nftables_args *dummy)
 {
-	// clean up rules in legacy `INPUT` chain
-	const char *err = iterate_rules(nl, family, "INPUT", seq,
-			&(struct iterate_callbacks) {
-				.parse_expr = match_immediate_rtpe,
-				.chain = chain,
-				.rule_final = check_immediate,
-				.iterate_final = iterate_delete_rules,
-			});
-	if (err)
-		return err;
+	const char *err;
 
-	// clean up rules in `input` chain
-	err = iterate_rules(nl, family, "input", seq,
-			&(struct iterate_callbacks) {
-				.parse_expr = match_immediate_rtpe,
-				.chain = chain,
-				.rule_final = check_immediate,
-				.iterate_final = iterate_delete_rules,
-			});
-	if (err)
-		return err;
+	if (!base_chain || strcmp(base_chain, "none")) {
+		// clean up rules in legacy `INPUT` chain
+		err = iterate_rules(nl, family, "INPUT", seq,
+				&(struct iterate_callbacks) {
+					.parse_expr = match_immediate_rtpe,
+					.chain = chain,
+					.rule_final = check_immediate,
+					.iterate_final = iterate_delete_rules,
+				});
+		if (err)
+			return err;
+
+		// clean up rules in `input` chain
+		err = iterate_rules(nl, family, "input", seq,
+				&(struct iterate_callbacks) {
+					.parse_expr = match_immediate_rtpe,
+					.chain = chain,
+					.rule_final = check_immediate,
+					.iterate_final = iterate_delete_rules,
+				});
+		if (err)
+			return err;
+	}
 
 	if (base_chain && strcmp(base_chain, "none")) {
 		// clean up rules in other base chain chain if any