xtables: avoid bogus 'is incompatible' warning

when using custom nft tables + iptables-nft, iptables-nft -L
may fail with

iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.

even if filter table is compatible.

Problem is that the chain cache tracks ALL chains.

The "old" compat-check only walked chains in the table to checked
(filter in this case), now we will see all other
chains including base chains of another table.

It seems better to extend the chain cache long-term to track chains
per table instead, but for now skip the foreign ones.

Reported-by: Eric Garver <e@erig.me>
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 6 insertions, 1 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index 07e15c7a..347a4438 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3006,7 +3006,12 @@ static int nft_are_chains_compatible(struct nft_handle *h, const char *tablename
 
 	chain = nftnl_chain_list_iter_next(iter);
 	while (chain != NULL) {
-		if (!nft_chain_builtin(chain))
+		const char *chain_table;
+
+		chain_table = nftnl_chain_get_str(chain, NFTNL_CHAIN_TABLE);
+
+		if (strcmp(chain_table, tablename) ||
+		    !nft_chain_builtin(chain))
 			goto next;
 
 		ret = nft_is_chain_compatible(h, chain);