summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-04-07 00:44:49 +0200
committerFlorian Westphal <fw@strlen.de>2018-04-09 22:53:09 +0200
commit9d9b724cab2276a1ffa43e8376f2ed10282d07da (patch)
tree331175080abfab6cdbdecd23f3484620e75577f0
parent59d15cfb8998074b2f6077fb5a4a5aea6a002bc7 (diff)
xtables-compat: skip unsupported tables
Instead of not listing anything at all if an unknown table name exists, just skip them. Output a small comment that the listing doesn't include the (unrecognized, nft-created) tables. Next patch will restrict 'is this table printable in xtables syntax' check to the "builtin" tables. Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r--iptables/nft.c45
-rw-r--r--iptables/nft.h1
-rw-r--r--iptables/xtables-save.c8
-rw-r--r--iptables/xtables.c3
4 files changed, 14 insertions, 43 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index a73c72bd..7c1e19d6 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2842,49 +2842,16 @@ next:
return ret;
}
-static int nft_is_table_compatible(const char *name)
+bool nft_is_table_compatible(struct nft_handle *h, const char *name)
{
int i;
for (i = 0; i < TABLES_MAX; i++) {
- if (strcmp(xtables_ipv4[i].name, name) == 0)
- return 0;
- }
-
- return 1;
-}
-
-static int nft_are_tables_compatible(struct nft_handle *h)
-{
- struct nftnl_table_list *list;
- struct nftnl_table_list_iter *iter;
- struct nftnl_table *table;
- int ret = 0;
-
- list = nftnl_table_list_get(h);
- if (list == NULL)
- return -1;
-
- iter = nftnl_table_list_iter_create(list);
- if (iter == NULL)
- return -1;
-
- table = nftnl_table_list_iter_next(iter);
- while (table != NULL) {
- const char *name = nftnl_table_get(table, NFTNL_TABLE_NAME);
-
- if (nft_is_table_compatible(name) == 0) {
- table = nftnl_table_list_iter_next(iter);
- continue;
- }
-
- ret = 1;
- break;
+ if (strcmp(h->tables[i].name, name) == 0)
+ return true;
}
- nftnl_table_list_iter_destroy(iter);
- nftnl_table_list_free(list);
- return ret;
+ return false;
}
int nft_is_ruleset_compatible(struct nft_handle *h)
@@ -2895,10 +2862,6 @@ int nft_is_ruleset_compatible(struct nft_handle *h)
struct nftnl_rule *rule;
int ret = 0;
- ret = nft_are_tables_compatible(h);
- if (ret != 0)
- return ret;
-
ret = nft_are_chains_compatible(h);
if (ret != 0)
return ret;
diff --git a/iptables/nft.h b/iptables/nft.h
index 41265930..310cedec 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -183,5 +183,6 @@ int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
int nft_is_ruleset_compatible(struct nft_handle *h);
+bool nft_is_table_compatible(struct nft_handle *h, const char *name);
#endif
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 5b498b04..893b2b93 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -52,6 +52,11 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
return 0;
}
+ if (!nft_is_table_compatible(h, tablename)) {
+ printf("# Table `%s' is incompatible, use 'nft' tool.\n", tablename);
+ return 1;
+ }
+
chain_list = nft_chain_dump(h);
time_t now = time(NULL);
@@ -160,7 +165,8 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
exit(1);
}
- if (nft_is_ruleset_compatible(&h) == 1) {
+ ret = nft_is_ruleset_compatible(&h);
+ if (ret) {
printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
exit(EXIT_FAILURE);
}
diff --git a/iptables/xtables.c b/iptables/xtables.c
index ac113254..5410952a 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1225,7 +1225,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
case CMD_LIST|CMD_ZERO_NUM:
- if (nft_is_ruleset_compatible(h) == 1) {
+ ret = nft_is_ruleset_compatible(h);
+ if (ret) {
printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
exit(EXIT_FAILURE);
}