Plan is to continue and print as much as possible, with a clear
indication/error message when something cannot be decoded.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft.c | 66 ++---------------------------------------
iptables/nft.h | 2 --
iptables/xtables-save.c | 6 +---
3 files changed, 3 insertions(+), 71 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 4c0110bb8040..d33591a73616 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3771,66 +3771,6 @@ uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag)
return NFT_CMP_EQ;
}
-static const char *supported_exprs[] = {
- "match",
- "target",
- "payload",
- "meta",
- "cmp",
- "bitwise",
- "counter",
- "immediate",
- "lookup",
- "range",
-};
-
-
-static int nft_is_expr_compatible(struct nftnl_expr *expr, void *data)
-{
- const char *name = nftnl_expr_get_str(expr, NFTNL_EXPR_NAME);
- int i;
-
- for (i = 0; i < ARRAY_SIZE(supported_exprs); i++) {
- if (strcmp(supported_exprs[i], name) == 0)
- return 0;
- }
-
- if (!strcmp(name, "limit") &&
- nftnl_expr_get_u32(expr, NFTNL_EXPR_LIMIT_TYPE) == NFT_LIMIT_PKTS &&
- nftnl_expr_get_u32(expr, NFTNL_EXPR_LIMIT_FLAGS) == 0)
- return 0;
-
- if (!strcmp(name, "log") &&
- nftnl_expr_is_set(expr, NFTNL_EXPR_LOG_GROUP))
- return 0;
-
- return -1;
-}
-
-static int nft_is_rule_compatible(struct nftnl_rule *rule, void *data)
-{
- return nftnl_expr_foreach(rule, nft_is_expr_compatible, NULL);
-}
-
-static int nft_is_chain_compatible(struct nft_chain *nc, void *data)
-{
- struct nftnl_chain *c = nc->nftnl;
-
- return nftnl_rule_foreach(c, nft_is_rule_compatible, NULL);
-}
-
-bool nft_is_table_compatible(struct nft_handle *h,
- const char *table, const char *chain)
-{
- if (chain) {
- struct nft_chain *c = nft_chain_find(h, table, chain);
-
- return c && !nft_is_chain_compatible(c, h);
- }
-
- return !nft_chain_foreach(h, table, nft_is_chain_compatible, h);
-}
-
bool nft_is_table_tainted(struct nft_handle *h, const char *table)
{
const struct builtin_table *t = nft_table_builtin_find(h, table);
@@ -3843,10 +3783,8 @@ void nft_assert_table_compatible(struct nft_handle *h,
{
const char *pfx = "", *sfx = "";
- if (nft_is_table_compatible(h, table, chain)) {
- if (nft_is_table_tainted(h, table))
- printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n",
- table);
+ if (nft_is_table_tainted(h, table)) {
+ printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n", table);
return;
}
diff --git a/iptables/nft.h b/iptables/nft.h
index 68b0910c8e18..4f742dbaf180 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -263,8 +263,6 @@ int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
-bool nft_is_table_compatible(struct nft_handle *h,
- const char *table, const char *chain);
bool nft_is_table_tainted(struct nft_handle *h, const char *table);
void nft_assert_table_compatible(struct nft_handle *h,
const char *table, const char *chain);
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 5a82cac5dd7c..c9f87322834b 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -74,11 +74,7 @@ __do_output(struct nft_handle *h, const char *tablename, void *data)
if (!nft_table_builtin_find(h, tablename))
return 0;
- if (!nft_is_table_compatible(h, tablename, NULL)) {
- printf("# Table `%s' is incompatible, use 'nft' tool.\n",
- tablename);
- return 0;
- } else if (nft_is_table_tainted(h, tablename)) {
+ if (nft_is_table_tainted(h, tablename)) {
printf("# Table `%s' contains incompatible base-chains, use 'nft' tool to list them.\n",
tablename);
}
--
2.37.4
