bug: GetRule returns entries for all chains, not the one provided about nftables HOT 7 OPEN

Maybe a similar commit to fdd795d might be needed?

Haven’t looked at it, and won’t have time to do so either, so I’ll rely on a PR to fix this.

from nftables.

we can fix this problem by add a judgment at rule.go line 87:

var rules []*Rule
for _, msg := range reply {
    r, err := ruleFromMsg(msg)
    if err != nil {
	    return nil, err
    }

    if r.Table.Name == t.Name && r.Table.Family == t.Family && r.Chain.Name == c.Name {
	    rules = append(rules, r)
    }
}

Apart from this，we need to fix ruleFromMsg method by add a assignment statement at rule.go line 295:

case unix.NFTA_RULE_TABLE:
    r.Table = &Table{Name: ad.String()}
    r.Table.Family = TableFamily(msg.Data[0])

this line is aim to return a rule's father table's net family attr, instead of return all 0 back to user， thus we could make a judgment on the protocol cluster of the target table and the obtained tables, at the end of it, we can successfully get the rules for a specific table and a specific chain.

and the other fix will be push to my fork repo github.com/RandolphCYG/nftables

from nftables.

Here is the relevant function https://github.com/greenpau/cni-plugins/blob/dnat/pkg/utils/get_chain_props.go

from nftables.

There is another aspect for this. There is no regards as to IPv4 vs. IPv6 chains ...

The filtering could happen here ...

One other though is that perhaps ruleFromMsg() needs to be looked into....

from nftables.

There is no "default" handling of various "AttributeDecoder" types.

from nftables.

Can you send your change as a pull request as well? Or is there any reason why it couldn’t be upstreamed? :)

from nftables.

Can you send your change as a pull request as well? Or is there any reason why it couldn’t be upstreamed? :)

hey, here comes my first pull request, could you help me check it ?

#133

from nftables.