[PATCH iptables 4/4] xtables-compat: only validate the xtables builtin tables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.

Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).

Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
 iptables/nft.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/iptables/nft.c b/iptables/nft.c
index 7c1e19d60c07..b3d9646d5d7c 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2827,7 +2827,10 @@ static int nft_are_chains_compatible(struct nft_handle *h)
 
 	chain = nftnl_chain_list_iter_next(iter);
 	while (chain != NULL) {
-		if (!nft_chain_builtin(chain))
+		const char *table = nftnl_chain_get(chain, NFTNL_CHAIN_TABLE);
+
+		if (!nft_chain_builtin(chain) ||
+		    !nft_is_table_compatible(h, table))
 			goto next;
 
 		ret = nft_is_chain_compatible(h, chain);
@@ -2876,10 +2879,14 @@ int nft_is_ruleset_compatible(struct nft_handle *h)
 
 	rule = nftnl_rule_list_iter_next(iter);
 	while (rule != NULL) {
+		if (!nft_is_table_compatible(h,
+		     nftnl_rule_get_str(rule, NFTA_RULE_TABLE)))
+			goto next;
+
 		ret = nft_is_rule_compatible(rule);
 		if (ret != 0)
 			break;
-
+next:
 		rule = nftnl_rule_list_iter_next(iter);
 	}
 
-- 
2.16.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux