On Fri, Apr 12, 2019 at 11:09:25AM +0200, Florian Westphal wrote:
> When we process a long ruleset of the form
>
> chain input {
> type filter hook input priority filter; policy drop;
> ...
> }
>
> Then the base chain gets registered early on, we then continue to
> process/validate the next messages coming in the same transaction.
>
> Problem is that if the base chain policy is 'drop', it will take effect
> immediately, which causes all traffic to get blocked until the
> transaction completes or is aborted.
>
> Fix this by deferring the policy until the transaction has been
> processed and all of the rules have been flagged as active.
Applied to nf, thanks Florian.
