From 4cf8be08e30ad05735a9200026125289e40532c6 Mon Sep 17 00:00:00 2001
From: Alex Hermann <alex@hexla.nl>
Date: Mon, 29 Jan 2024 16:18:25 +0100
Subject: [PATCH] MT#55283 Do not remove jumps to custom chain if base chain is
 "none"

If base chain is "none", the admin is responsible for jumping into the
custom chain. Don't remove jumps the admin migth have setup.

closes #1787

Change-Id: I9980acb12fb1abb0883b22aceab2719087768763
---
 daemon/nftables.c | 44 ++++++++++++++++++++++++--------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/daemon/nftables.c b/daemon/nftables.c
index 42f94cba6..ed8dbd66f 100644
--- a/daemon/nftables.c
+++ b/daemon/nftables.c
@@ -518,27 +518,31 @@ static const char *delete_chain(struct mnl_socket *nl, int family, uint32_t *seq
 static const char *nftables_shutdown_family(struct mnl_socket *nl, int family, uint32_t *seq,
 		const char *chain, const char *base_chain, nftables_args *dummy)
 {
-	// clean up rules in legacy `INPUT` chain
-	const char *err = iterate_rules(nl, family, "INPUT", seq,
-			&(struct iterate_callbacks) {
-				.parse_expr = match_immediate_rtpe,
-				.chain = chain,
-				.rule_final = check_immediate,
-				.iterate_final = iterate_delete_rules,
-			});
-	if (err)
-		return err;
+	const char *err;
 
-	// clean up rules in `input` chain
-	err = iterate_rules(nl, family, "input", seq,
-			&(struct iterate_callbacks) {
-				.parse_expr = match_immediate_rtpe,
-				.chain = chain,
-				.rule_final = check_immediate,
-				.iterate_final = iterate_delete_rules,
-			});
-	if (err)
-		return err;
+	if (!base_chain || strcmp(base_chain, "none")) {
+		// clean up rules in legacy `INPUT` chain
+		err = iterate_rules(nl, family, "INPUT", seq,
+				&(struct iterate_callbacks) {
+					.parse_expr = match_immediate_rtpe,
+					.chain = chain,
+					.rule_final = check_immediate,
+					.iterate_final = iterate_delete_rules,
+				});
+		if (err)
+			return err;
+
+		// clean up rules in `input` chain
+		err = iterate_rules(nl, family, "input", seq,
+				&(struct iterate_callbacks) {
+					.parse_expr = match_immediate_rtpe,
+					.chain = chain,
+					.rule_final = check_immediate,
+					.iterate_final = iterate_delete_rules,
+				});
+		if (err)
+			return err;
+	}
 
 	if (base_chain && strcmp(base_chain, "none")) {
 		// clean up rules in other base chain chain if any