From f8e29a13fed8de2d1276923638d2d6d9988dd8bb Mon Sep 17 00:00:00 2001 From: Florian Westphal Date: Tue, 24 Jul 2018 17:12:24 +0200 Subject: xtables: avoid bogus 'is incompatible' warning when using custom nft tables + iptables-nft, iptables-nft -L may fail with iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool. even if filter table is compatible. Problem is that the chain cache tracks ALL chains. The "old" compat-check only walked chains in the table to checked (filter in this case), now we will see all other chains including base chains of another table. It seems better to extend the chain cache long-term to track chains per table instead, but for now skip the foreign ones. Reported-by: Eric Garver Fixes: 01e25e264a4c4 ("xtables: add chain cache") Signed-off-by: Florian Westphal --- .../tests/shell/testcases/nft-only/0001compat_0 | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 iptables/tests/shell/testcases/nft-only/0001compat_0 (limited to 'iptables/tests/shell/testcases') diff --git a/iptables/tests/shell/testcases/nft-only/0001compat_0 b/iptables/tests/shell/testcases/nft-only/0001compat_0 new file mode 100755 index 00000000..4319ea5a --- /dev/null +++ b/iptables/tests/shell/testcases/nft-only/0001compat_0 @@ -0,0 +1,21 @@ +#!/bin/sh + +# test case for bug fixed in +# commit 873c5d5d293991ee3c06aed2b1dfc5764872582f (HEAD -> master) +# xtables: avoid bogus 'is incompatible' warning + +case "$XT_MULTI" in +*/xtables-nft-multi) + nft -v >/dev/null || exit 0 + nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1 + nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1 + + $XT_MULTI iptables -L -t filter || exit 1 + $XT_MULTI ip6tables -L -t filter || exit 1 + ;; +*) + echo skip $XT_MULTI + ;; +esac + +exit 0 -- cgit v1.2.3