xtables-compat: check if nft ruleset is compatible

This patch adds a verification of the compatibility between the nft ruleset and iptables. Nft tables, chains and rules are checked to be compatible with iptables. If something is not compatible, the execution stops and an error message is displayed to the user. This checking is triggered by xtables-compat -L and xtables-compat-save commands. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo M. Bermudo Garay <pablombg@gmail.com> 2016-08-26 18:58:43 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-08-26 19:35:33 +0200
commit: 4b791044cd0984c9a1771e86fa77fce9d309d9e7 (patch)
tree: ab14cc4444f772d76b8d1de7f712a5a32168e51b /iptables/xtables-save.c
parent: 27579fe10473c475f3e4dcf66c862f3a69995ea7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 50b5b5ae..f30867cf 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -138,6 +138,11 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
 		exit(1);
 	}
 
+	if (nft_is_ruleset_compatible(&h) == 1) {
+		printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
+		exit(EXIT_FAILURE);
+	}
+
 	if (dump) {
 		do_output(&h, tablename, show_counters);
 		exit(0);
author	Pablo M. Bermudo Garay <pablombg@gmail.com>	2016-08-26 18:58:43 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-08-26 19:35:33 +0200
commit	4b791044cd0984c9a1771e86fa77fce9d309d9e7 (patch)
tree	ab14cc4444f772d76b8d1de7f712a5a32168e51b /iptables/xtables-save.c
parent	27579fe10473c475f3e4dcf66c862f3a69995ea7 (diff)