Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
fixed for compatibility checking to extend over all chains, not just the
relevant ones. This patch does the same for rules: Make sure only rules
belonging to the relevant table are being considered.
Note that comparing the rule's table name is sufficient here since the
table family is already considered when populating the rule cache.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 77ad38bea5211..61bed52548907 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3219,9 +3219,15 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *tablename)
rule = nftnl_rule_list_iter_next(iter);
while (rule != NULL) {
+ const char *table = nftnl_rule_get_str(rule, NFTNL_RULE_TABLE);
+
+ if (strcmp(table, tablename))
+ goto next_rule;
+
ret = nft_is_rule_compatible(rule);
if (ret != 0)
break;
+next_rule:
rule = nftnl_rule_list_iter_next(iter);
}
--
2.18.0
