diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-09-07 17:06:21 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-09-10 15:26:02 +0200 |
| commit | c9f4f04bafe36927d2bca7ecf717723e0d7410d7 (patch) | |
| tree | 9c0c77b0daacf47ff8234ba22d678eff0fdeb562 | |
| parent | 15606f264c84f9cc01d2f60adb6eda6584ef2594 (diff) | |
xtables: Don't check all rules for being compatible
Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
fixed for compatibility checking to extend over all chains, not just the
relevant ones. This patch does the same for rules: Make sure only rules
belonging to the relevant table are being considered.
Note that comparing the rule's table name is sufficient here since the
table family is already considered when populating the rule cache.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | iptables/nft.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 77ad38be..61bed525 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -3219,9 +3219,15 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *tablename) rule = nftnl_rule_list_iter_next(iter); while (rule != NULL) { + const char *table = nftnl_rule_get_str(rule, NFTNL_RULE_TABLE); + + if (strcmp(table, tablename)) + goto next_rule; + ret = nft_is_rule_compatible(rule); if (ret != 0) break; +next_rule: rule = nftnl_rule_list_iter_next(iter); } |