Intentionally garble iptables-nft output if we cannot dissect
an expression that we've just encountered, rather than dump an
error message on stderr.
The idea here is that
iptables-save | iptables-restore
will fail, rather than restore an incomplete ruleset.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
iptables/nft-shared.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 97512e3f43ff..d1f891740c02 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -1169,6 +1169,8 @@ static void nft_parse_lookup(struct nft_xt_ctx *ctx, struct nft_handle *h,
{
if (ctx->h->ops->parse_lookup)
ctx->h->ops->parse_lookup(ctx, e);
+ else
+ ctx->errmsg = "cannot handle lookup";
}
static void nft_parse_range(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -1245,9 +1247,11 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
nft_parse_log(&ctx, expr);
else if (strcmp(name, "range") == 0)
nft_parse_range(&ctx, expr);
+ else
+ printf("unknown expression %s", name);
if (ctx.errmsg) {
- fprintf(stderr, "%s", ctx.errmsg);
+ printf("[%s]", ctx.errmsg);
ctx.errmsg = NULL;
}
--
2.37.4
