From 838a1561e4812601a35e294523c7aaf5361c60ef Mon Sep 17 00:00:00 2001

From: Eric Garver <e@erig.me>

Date: Tue, 13 Nov 2018 16:00:30 -0500

Subject: [PATCH 17/34] nftables: build rule_key properly for delete verb

When deleting a rule make sure to strip the index/position from the rule

string.

(cherry picked from commit 7b40ad43f120dd08176fb3c52cdc94722f0a72bb)

---

 src/firewall/core/nftables.py | 32 +++++++++++++++++---------------

 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py

index a1cb2c474737..47b1c27dc8cc 100644

--- a/src/firewall/core/nftables.py

+++ b/src/firewall/core/nftables.py

@@ -169,6 +169,21 @@ class nftables(object):

         nft_opts = ["--echo", "--handle"]

         _args = args[:]

+        def rule_key_from_rule(rule):

+            rule_key = rule[2:]

+            if rule_key[3] in ["position", "handle", "index"]:

+                # strip "position #"

+                # "insert rule family table chain position <num>"

+                #              ^^ rule_key starts here

+                try:

+                    int(rule_key[4])

+                except Exception:

+                    raise FirewallError(INVALID_RULE, "position without a number")

+                else:

+                    rule_key.pop(3)

+                    rule_key.pop(3)

+            return " ".join(rule_key)

+

         # If we're deleting a table (i.e. build_flush_rules())

         # then check if its exist first to avoid nft throwing an error

         if _args[0] == "delete" and _args[1] == "table":

@@ -181,23 +196,10 @@ class nftables(object):

         rule_key = None

         if _args[0] in ["add", "insert"] and _args[1] == "rule":

             rule_add = True

-            rule_key = _args[2:]

-            if rule_key[3] == "position":

-                # strip "position #"

-                # "insert rule family table chain position <num>"

-                #              ^^ rule_key starts here

-                try:

-                    int(rule_key[4])

-                except Exception:

-                    raise FirewallError(INVALID_RULE, "position without a number")

-                else:

-                    rule_key.pop(3)

-                    rule_key.pop(3)

-            rule_key = " ".join(rule_key)

+            rule_key = rule_key_from_rule(_args)

         elif _args[0] in ["delete"] and _args[1] == "rule":

             rule_add = False

-            rule_key = _args[2:]

-            rule_key = " ".join(rule_key)

+            rule_key = rule_key_from_rule(_args)

             # delete using rule handle

             _args = ["delete", "rule"] + _args[2:5] + \

                     ["handle", self.rule_to_handle[rule_key]]

-- 

2.18.0