xtables-compat: skip unsupported tables
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
diff --git a/iptables/nft.c b/iptables/nft.c
index a73c72b..7c1e19d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2842,49 +2842,16 @@
return ret;
}
-static int nft_is_table_compatible(const char *name)
+bool nft_is_table_compatible(struct nft_handle *h, const char *name)
{
int i;
for (i = 0; i < TABLES_MAX; i++) {
- if (strcmp(xtables_ipv4[i].name, name) == 0)
- return 0;
+ if (strcmp(h->tables[i].name, name) == 0)
+ return true;
}
- return 1;
-}
-
-static int nft_are_tables_compatible(struct nft_handle *h)
-{
- struct nftnl_table_list *list;
- struct nftnl_table_list_iter *iter;
- struct nftnl_table *table;
- int ret = 0;
-
- list = nftnl_table_list_get(h);
- if (list == NULL)
- return -1;
-
- iter = nftnl_table_list_iter_create(list);
- if (iter == NULL)
- return -1;
-
- table = nftnl_table_list_iter_next(iter);
- while (table != NULL) {
- const char *name = nftnl_table_get(table, NFTNL_TABLE_NAME);
-
- if (nft_is_table_compatible(name) == 0) {
- table = nftnl_table_list_iter_next(iter);
- continue;
- }
-
- ret = 1;
- break;
- }
-
- nftnl_table_list_iter_destroy(iter);
- nftnl_table_list_free(list);
- return ret;
+ return false;
}
int nft_is_ruleset_compatible(struct nft_handle *h)
@@ -2895,10 +2862,6 @@
struct nftnl_rule *rule;
int ret = 0;
- ret = nft_are_tables_compatible(h);
- if (ret != 0)
- return ret;
-
ret = nft_are_chains_compatible(h);
if (ret != 0)
return ret;
diff --git a/iptables/nft.h b/iptables/nft.h
index 4126593..310cede 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -183,5 +183,6 @@
void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
int nft_is_ruleset_compatible(struct nft_handle *h);
+bool nft_is_table_compatible(struct nft_handle *h, const char *name);
#endif
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 5b498b0..893b2b9 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -52,6 +52,11 @@
return 0;
}
+ if (!nft_is_table_compatible(h, tablename)) {
+ printf("# Table `%s' is incompatible, use 'nft' tool.\n", tablename);
+ return 1;
+ }
+
chain_list = nft_chain_dump(h);
time_t now = time(NULL);
@@ -160,7 +165,8 @@
exit(1);
}
- if (nft_is_ruleset_compatible(&h) == 1) {
+ ret = nft_is_ruleset_compatible(&h);
+ if (ret) {
printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
exit(EXIT_FAILURE);
}
diff --git a/iptables/xtables.c b/iptables/xtables.c
index ac11325..5410952 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1225,7 +1225,8 @@
case CMD_LIST:
case CMD_LIST|CMD_ZERO:
case CMD_LIST|CMD_ZERO_NUM:
- if (nft_is_ruleset_compatible(h) == 1) {
+ ret = nft_is_ruleset_compatible(h);
+ if (ret) {
printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
exit(EXIT_FAILURE);
}
