Use nft_is_table_compatible instead as only helper to a 'skip' decision.
Custom tables, tables that have extra base chains that iptables
syntax doesn't allow or rules that have special constructs line nftables
set lookups or verdict maps are not listed, but a message is provided
to show that such table exists.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft.c | 62 +++++++++++++++++++++----------------------------
iptables/nft.h | 1 -
iptables/xtables-save.c | 7 ------
iptables/xtables.c | 6 -----
4 files changed, 27 insertions(+), 49 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 5204112c786e..b6426a96de18 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2069,6 +2069,11 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
ops = nft_family_ops_lookup(h->family);
+ if (!nft_is_table_compatible(h, table)) {
+ xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table);
+ return 0;
+ }
+
if (chain && rulenum) {
__nft_rule_list(h, chain, table,
rulenum, format, ops->print_firewall);
@@ -2741,15 +2746,15 @@ static int nft_is_expr_compatible(const char *name)
return 1;
}
-static int nft_is_rule_compatible(struct nftnl_rule *rule)
+static bool nft_is_rule_compatible(struct nftnl_rule *rule)
{
struct nftnl_expr_iter *iter;
struct nftnl_expr *expr;
- int ret = 0;
+ bool compatible = false;
iter = nftnl_expr_iter_create(rule);
if (iter == NULL)
- return -1;
+ return false;
expr = nftnl_expr_iter_next(iter);
while (expr != NULL) {
@@ -2760,12 +2765,12 @@ static int nft_is_rule_compatible(struct nftnl_rule *rule)
continue;
}
- ret = 1;
+ compatible = true;
break;
}
nftnl_expr_iter_destroy(iter);
- return ret;
+ return compatible;
}
static int nft_is_chain_compatible(const struct nft_handle *h,
@@ -2804,14 +2809,14 @@ static int nft_is_chain_compatible(const struct nft_handle *h,
return 1;
}
-static int nft_are_chains_compatible(struct nft_handle *h)
+static int nft_are_chains_compatible(struct nft_handle *h, const char *tablename)
{
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
struct nftnl_chain *chain;
int ret = 0;
- list = nftnl_chain_list_get(h, NULL);
+ list = nftnl_chain_list_get(h, tablename);
if (list == NULL)
return -1;
@@ -2821,10 +2826,7 @@ static int nft_are_chains_compatible(struct nft_handle *h)
chain = nftnl_chain_list_iter_next(iter);
while (chain != NULL) {
- const char *table = nftnl_chain_get(chain, NFTNL_CHAIN_TABLE);
-
- if (!nft_chain_builtin(chain) ||
- !nft_is_table_compatible(h, table))
+ if (!nft_chain_builtin(chain))
goto next;
ret = nft_is_chain_compatible(h, chain);
@@ -2839,51 +2841,41 @@ next:
return ret;
}
-bool nft_is_table_compatible(struct nft_handle *h, const char *name)
+bool nft_is_table_compatible(struct nft_handle *h, const char *tablename)
{
- int i;
+ struct nftnl_rule_list *list;
+ struct nftnl_rule_list_iter *iter;
+ struct nftnl_rule *rule;
+ int ret = 0, i;
for (i = 0; i < TABLES_MAX; i++) {
- if (strcmp(h->tables[i].name, name) == 0)
- return true;
+ if (strcmp(h->tables[i].name, tablename) == 0)
+ break;
}
- return false;
-}
-
-int nft_is_ruleset_compatible(struct nft_handle *h)
-{
-
- struct nftnl_rule_list *list;
- struct nftnl_rule_list_iter *iter;
- struct nftnl_rule *rule;
- int ret = 0;
+ if (i == TABLES_MAX)
+ return false;
- ret = nft_are_chains_compatible(h);
+ ret = nft_are_chains_compatible(h, tablename);
if (ret != 0)
- return ret;
+ return false;
list = nft_rule_list_get(h);
if (list == NULL)
- return -1;
+ return true;
iter = nftnl_rule_list_iter_create(list);
if (iter == NULL)
- return -1;
+ return true;
rule = nftnl_rule_list_iter_next(iter);
while (rule != NULL) {
- if (!nft_is_table_compatible(h,
- nftnl_rule_get_str(rule, NFTA_RULE_TABLE)))
- goto next;
-
ret = nft_is_rule_compatible(rule);
if (ret != 0)
break;
-next:
rule = nftnl_rule_list_iter_next(iter);
}
nftnl_rule_list_iter_destroy(iter);
- return ret;
+ return ret == 0;
}
diff --git a/iptables/nft.h b/iptables/nft.h
index af229233025c..5d0576c8ee45 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -182,7 +182,6 @@ int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
-int nft_is_ruleset_compatible(struct nft_handle *h);
bool nft_is_table_compatible(struct nft_handle *h, const char *name);
#endif
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 2305e878d1ea..be98b8350aaa 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -182,13 +182,6 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
exit(EXIT_FAILURE);
}
-
- ret = nft_is_ruleset_compatible(&h);
- if (ret) {
- printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
- exit(EXIT_FAILURE);
- }
-
if (dump) {
do_output(&h, tablename, show_counters);
exit(0);
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 5410952a385e..7476c974451a 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1225,12 +1225,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
case CMD_LIST|CMD_ZERO_NUM:
- ret = nft_is_ruleset_compatible(h);
- if (ret) {
- printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
- exit(EXIT_FAILURE);
- }
-
ret = list_entries(h, p.chain, p.table, p.rulenum,
cs.options & OPT_VERBOSE,
cs.options & OPT_NUMERIC,
--
2.16.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
