xtables: Fix for no output in iptables-nft -S

Just like with 'iptables-nft -L', we have to make sure the standard set of chains exist for a given table when listing it using '-S' flag. The added code was just copied over from nft_rule_list() which does the same. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2018-08-14 20:28:03 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-08-16 19:43:47 +0200
commit: 3d9a13dda3d77f750ee755aa0909519240380251 (patch)
tree: 131db232ffd363009a661573f7697c60485f11fb /iptables/nft.c
parent: a33c6fda8c419ba15d76616ef534a4d5f7bb4f85 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 8c0746dd..8a84998b 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2441,6 +2441,23 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain,
 	struct nftnl_chain *c;
 	int ret = 1;
 
+	/* If built-in chains don't exist for this table, create them */
+	if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) {
+		nft_xt_builtin_init(h, table);
+		/* Force table and chain creation, otherwise first iptables -L
+		 * lists no table/chains.
+		 */
+		if (!list_empty(&h->obj_list)) {
+			nft_commit(h);
+			flush_chain_cache(h, NULL);
+		}
+	}
+
+	if (!nft_is_table_compatible(h, table)) {
+		xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table);
+		return 0;
+	}
+
 	list = nft_chain_dump(h);
 
 	/* Dump policies and custom chains first */
author	Phil Sutter <phil@nwl.cc>	2018-08-14 20:28:03 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-08-16 19:43:47 +0200
commit	3d9a13dda3d77f750ee755aa0909519240380251 (patch)
tree	131db232ffd363009a661573f7697c60485f11fb /iptables/nft.c
parent	a33c6fda8c419ba15d76616ef534a4d5f7bb4f85 (diff)