xtables: Set errno in nft_rule_check() if chain not found

With this, the explicit check for chain existence can be removed from
xtables.c since all related commands do this now.

Note that this effectively changes the error message printed by
iptables-nft when given a non-existing chain, but the new error
message(s) conform with those printed by legacy iptables.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index dafb879ebd6f0b14128884a5087c11ad52f3bea5..1ce1ecdd276bea5eb3505c436a8f34ce41019507 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2007,17 +2007,19 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
 
        c = nft_chain_find(h, table, chain);
        if (!c)
-               return 0;
+               goto fail_enoent;
 
        r = nft_rule_find(h, c, data, -1);
-       if (r == NULL) {
-               errno = ENOENT;
-               return 0;
-       }
+       if (r == NULL)
+               goto fail_enoent;
+
        if (verbose)
                h->ops->print_rule(r, 0, FMT_PRINT_RULE);
 
        return 1;
+fail_enoent:
+       errno = ENOENT;
+       return 0;
 }
 
 int nft_rule_delete(struct nft_handle *h, const char *chain,

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 24a6e234bcf4b9efdce888fab5fb6d0aefc9ea68..da11e8cc159a04aa1d59ca2f2fae05073c75e902 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1064,10 +1064,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
                                           p->chain);
                }
 
-               if (!p->xlate && !nft_chain_exists(h, p->table, p->chain))
-                       xtables_error(OTHER_PROBLEM,
-                                     "Chain '%s' does not exist", p->chain);
-
                if (!p->xlate && !cs->target && strlen(cs->jumpto) > 0 &&
                    !nft_chain_exists(h, p->table, cs->jumpto))
                        xtables_error(PARAMETER_PROBLEM,