xtables: Fix rules print/save after iptables update
Updating iptables from 1.4.x to 1.6.x brokes rules print/save output and causes rules load after reboot to fail. Here is example from iptables-save(8) output after update: -A CHAIN1 -m set [unsupported revision] -j DROP -A CHAIN1 -m set [unsupported revision] -j DROP Similar output could be obtained via iptables -L CHAIN1. While issue reproduced with xt_set match it is not specific to any match or target module: it is related on how xtables handles revisions. In this particular case we have following situation: 1) Kernel supports revisions from 1 to 4. 2) Rules configured with iptables 1.4.x supporting only revisions from 1 to 3. Choosen highest possible revision 3. 3) Rules printed/saved with iptables 1.6.x supporting revisions from 1 to 4. 4) Xtables registers matches/targets with highest supported revision by the kernel. This is 4 in our case after update to iptables 1.6.x. 5) When printing/saving kernel submits match/target with revision it is configured (3), while iptables thinks that rules configured with highest supported (4). That's causes revision mismatch in during print and "[unsupported revision]" output. To fix this issue we now store all supported by kernel and xtables revisions in xt_matches/xt_targets list sorted in descending order. Introduce helper routines to find match/target with given revision and use them to find right revision to print submitted by kernel entry. Signed-off-by: Serhey Popovych <> Signed-off-by: Florian Westphal <>
diff --git a/include/xtables.h b/include/xtables.h
index 304828a6..743906bf 100644
--- a/include/xtables.h
+++ b/include/xtables.h
@@ -464,8 +464,14 @@ extern struct option *xtables_merge_options(struct option *origopts,
extern int xtables_init_all(struct xtables_globals *xtp, uint8_t nfproto);
extern struct xtables_match *xtables_find_match(const char *name,
enum xtables_tryload, struct xtables_rule_match **match);
+extern struct xtables_match *xtables_find_match_revision(const char *name,
+ enum xtables_tryload tryload, struct xtables_match *match,
+ int revision);
extern struct xtables_target *xtables_find_target(const char *name,
enum xtables_tryload);
+struct xtables_target *xtables_find_target_revision(const char *name,
+ enum xtables_tryload tryload, struct xtables_target *target,
+ int revision);
extern int xtables_compatible_revision(const char *name, uint8_t revision,
int opt);