diff options
author | Pablo M. Bermudo Garay <pablombg@gmail.com> | 2016-08-26 18:58:43 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-08-26 19:35:33 +0200 |
commit | 4b791044cd0984c9a1771e86fa77fce9d309d9e7 (patch) | |
tree | ab14cc4444f772d76b8d1de7f712a5a32168e51b /iptables/xtables.c | |
parent | 27579fe10473c475f3e4dcf66c862f3a69995ea7 (diff) |
xtables-compat: check if nft ruleset is compatible
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables.c')
-rw-r--r-- | iptables/xtables.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/iptables/xtables.c b/iptables/xtables.c index 48b9c51c..d222ae99 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -1253,6 +1253,11 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, case CMD_LIST: case CMD_LIST|CMD_ZERO: case CMD_LIST|CMD_ZERO_NUM: + if (nft_is_ruleset_compatible(h) == 1) { + printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n"); + exit(EXIT_FAILURE); + } + ret = list_entries(h, p.chain, p.table, p.rulenum, cs.options & OPT_VERBOSE, cs.options & OPT_NUMERIC, |