xtables-translate: Avoid querying the kernel

This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).

The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 10 insertions, 0 deletions

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 153bd650..76ca666b 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -379,6 +379,14 @@ static int xlate_chain_set(struct nft_handle *h, const char *table,
 	return 1;
 }
 
+static int dummy_compat_rev(const char *name, uint8_t rev, int opt)
+{
+	/* Avoid querying the kernel - it's not needed when just translating
+	 * rules and not even possible when running as unprivileged user.
+	 */
+	return 1;
+}
+
 static struct nft_xt_restore_cb cb_xlate = {
 	.table_new	= xlate_table_new,
 	.chain_set	= xlate_chain_set,
@@ -398,6 +406,7 @@ static int xtables_xlate_main(int family, const char *progname, int argc,
 	};
 
 	xtables_globals.program_name = progname;
+	xtables_globals.compat_rev = dummy_compat_rev;
 	ret = xtables_init_all(&xtables_globals, family);
 	if (ret < 0) {
 		fprintf(stderr, "%s/%s Failed to initialize xtables\n",
@@ -440,6 +449,7 @@ static int xtables_restore_xlate_main(int family, const char *progname,
 	int c;
 
 	xtables_globals.program_name = progname;
+	xtables_globals.compat_rev = dummy_compat_rev;
 	ret = xtables_init_all(&xtables_globals, family);
 	if (ret < 0) {
 		fprintf(stderr, "%s/%s Failed to initialize xtables\n",