when using custom nft tables + iptables-nft, iptables-nft -L
may fail with
iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.
Thats incorrect. Problem is that the chain cache tracks
ALL chains. The old compat-check only walked chains in the
table to checked (filter in this case), now we will see all other
chains including base chains that live in another table (and now need to
be skipped).
It seems better to extend the chain cache long-term to track chains
per table instead.
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 07e15c7a16f2..347a4438e7bc 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3006,7 +3006,12 @@ static int nft_are_chains_compatible(struct nft_handle *h, const char *tablename
chain = nftnl_chain_list_iter_next(iter);
while (chain != NULL) {
- if (!nft_chain_builtin(chain))
+ const char *chain_table;
+
+ chain_table = nftnl_chain_get_str(chain, NFTNL_CHAIN_TABLE);
+
+ if (strcmp(chain_table, tablename) ||
+ !nft_chain_builtin(chain))
goto next;
ret = nft_is_chain_compatible(h, chain);
--
2.16.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
