From 84076f29fac33d06aaa4298a0ffb7b5468a995a4 Mon Sep 17 00:00:00 2001
From: Haw Loeung <haw.loeung@canonical.com>
Date: Fri, 31 Jan 2020 11:18:00 +1100
Subject: Handle when default chains already exists (#392)

---
 sshuttle/methods/nft.py | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/sshuttle/methods/nft.py b/sshuttle/methods/nft.py
index 7b14f76..59266af 100644
--- a/sshuttle/methods/nft.py
+++ b/sshuttle/methods/nft.py
@@ -1,5 +1,6 @@
 import socket
 from sshuttle.firewall import subnet_weight
+from sshuttle.helpers import Fatal, log
 from sshuttle.linux import nft, nft_get_handle, nonfatal
 from sshuttle.methods import BaseMethod
 
@@ -21,16 +22,19 @@ class Method(BaseMethod):
         def _nft(action, *args):
             return nft(family, table, action, *args)
 
-        chain = 'sshuttle-%s' % port
-
         # basic cleanup/setup of chains
         _nft('add table', '')
-        _nft('add chain', 'prerouting',
-             '{ type nat hook prerouting priority -100; policy accept; }')
-        _nft('add chain', 'postrouting',
-             '{ type nat hook postrouting priority 100; policy accept; }')
-        _nft('add chain', 'output',
-             '{ type nat hook output priority -100; policy accept; }')
+        # prerouting, postrouting, and output chains may already exist
+        for chain in ['prerouting', 'postrouting', 'output']:
+            rules = '{{ type nat hook {} priority -100; policy accept; }}' \
+                    .format(chain)
+            try:
+                _nft('add chain', chain, rules)
+            except Fatal:
+                log('Chain {} already exists, ignoring\n'.format(chain))
+
+        chain = 'sshuttle-%s' % port
+
         _nft('add chain', chain)
         _nft('flush chain', chain)
         _nft('add rule', 'output jump %s' % chain)
-- 
cgit v1.2.3