From 651cfee91a8f42336b9d794c838b9f4f480308c9 Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Thu, 12 Apr 2018 11:31:42 +0200 Subject: xtables-compat: pass correct table skeleton This always uses xtables_ipv4 (which is same as _ipv6). Pass the correct skeleton instead, this is needed to handle ebtables correctly from xt-translate, as it doesn't use ip/ip6 tables. Signed-off-by: Florian Westphal --- iptables/xtables-restore.c | 41 +++++++++++++++++++++++++++++------------ iptables/xtables-save.c | 41 ++++++++++++++++++++++++++++++----------- iptables/xtables-translate.c | 18 +++++++++++++++++- 3 files changed, 76 insertions(+), 24 deletions(-) diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index ac753c43..2ba0565d 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -455,6 +455,7 @@ void xtables_restore_parse(struct nft_handle *h, static int xtables_restore_main(int family, const char *progname, int argc, char *argv[]) { + struct builtin_table *tables; struct nft_handle h = { .family = family, .restore = true, @@ -472,18 +473,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) xtables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -#endif - - if (nft_init(&h, xtables_ipv4) < 0) { - fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", - xtables_globals.program_name, - xtables_globals.program_version, - strerror(errno)); - exit(EXIT_FAILURE); - } while ((c = getopt_long(argc, argv, "bcvVthnM:T:46wW", options, NULL)) != -1) { switch (c) { @@ -546,6 +535,34 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) p.in = stdin; } + switch (family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: /* fallthough, same table */ + tables = xtables_ipv4; +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); +#endif + break; + case NFPROTO_ARP: + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: + tables = xtables_bridge; + break; + default: + fprintf(stderr, "Unknown family %d\n", family); + return 1; + } + + if (nft_init(&h, tables) < 0) { + fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", + xtables_globals.program_name, + xtables_globals.program_version, + strerror(errno)); + exit(EXIT_FAILURE); + } + xtables_restore_parse(&h, &p, &restore_cb, argc, argv); nft_fini(&h); diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c index e5401daf..1f643593 100644 --- a/iptables/xtables-save.c +++ b/iptables/xtables-save.c @@ -83,6 +83,7 @@ do_output(struct nft_handle *h, const char *tablename, bool counters) static int xtables_save_main(int family, const char *progname, int argc, char *argv[]) { + struct builtin_table *tables; const char *tablename = NULL; bool dump = false; struct nft_handle h = { @@ -99,17 +100,6 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[]) xtables_globals.program_version); exit(1); } -#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) - init_extensions(); - init_extensions4(); -#endif - if (nft_init(&h, xtables_ipv4) < 0) { - fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", - xtables_globals.program_name, - xtables_globals.program_version, - strerror(errno)); - exit(EXIT_FAILURE); - } while ((c = getopt_long(argc, argv, "bcdt:M:f:46", options, NULL)) != -1) { switch (c) { @@ -164,6 +154,35 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[]) exit(1); } + switch (family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: /* fallthough, same table */ +#if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) + init_extensions(); + init_extensions4(); +#endif + tables = xtables_ipv4; + break; + case NFPROTO_ARP: + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: + tables = xtables_bridge; + break; + default: + fprintf(stderr, "Unknown family %d\n", family); + return 1; + } + + if (nft_init(&h, tables) < 0) { + fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", + xtables_globals.program_name, + xtables_globals.program_version, + strerror(errno)); + exit(EXIT_FAILURE); + } + + ret = nft_is_ruleset_compatible(&h); if (ret) { printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n"); diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 78cc60e8..b08ac354 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -424,6 +424,7 @@ static int xtables_xlate_main_common(struct nft_handle *h, int family, const char *progname) { + struct builtin_table *tables; int ret; xtables_globals.program_name = progname; @@ -435,12 +436,27 @@ static int xtables_xlate_main_common(struct nft_handle *h, xtables_globals.program_version); return 1; } + switch (family) { + case NFPROTO_IPV4: + case NFPROTO_IPV6: /* fallthrough: same table */ #if defined(ALL_INCLUSIVE) || defined(NO_SHARED_LIBS) init_extensions(); init_extensions4(); #endif + tables = xtables_ipv4; + break; + case NFPROTO_ARP: + tables = xtables_arp; + break; + case NFPROTO_BRIDGE: + tables = xtables_bridge; + break; + default: + fprintf(stderr, "Unknown family %d\n", family); + return 1; + } - if (nft_init(h, xtables_ipv4) < 0) { + if (nft_init(h, tables) < 0) { fprintf(stderr, "%s/%s Failed to initialize nft: %s\n", xtables_globals.program_name, xtables_globals.program_version, -- cgit v1.2.3