xtables: Fix for spurious errors from iptables-translate

When aligning iptables-nft error messages with legacy ones, I missed
that translate tools shouldn't check for missing or duplicated chains.

Introduce a boolean in struct nft_xt_cmd_parse indicating we're "just"
translating and do_parse() should skip the checks.

Fixes: b6a06c1a215f8 ("xtables: Align return codes with legacy iptables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 1281f080bc31d40ad39410ef501369352b4a1c91..e3ecdb4d23df3eaedc3a7039d380701ea6daea4c 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -233,6 +233,7 @@ struct nft_xt_cmd_parse {
        const char                      *policy;
        bool                            restore;
        int                             verbose;
+       bool                            xlate;
 };
 
 void do_parse(struct nft_handle *h, int argc, char *argv[],

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index f4c0f9cf5a1814474aede8f049af0411800017d2..849c53f30e1557a484b709b6243e2433e2fc370a 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -216,6 +216,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
        struct nft_xt_cmd_parse p = {
                .table          = *table,
                .restore        = restore,
+               .xlate          = true,
        };
        struct iptables_command_state cs;
        struct xtables_args args = {

diff --git a/iptables/xtables.c b/iptables/xtables.c
index e0343dbabf2b3321ccc9162bd78e256b542b9dd7..0038804e288c6389ff390de02fbf011f3dd0d3b2 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1063,16 +1063,16 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
                                           p->chain);
                }
 
-               if (!nft_chain_exists(h, p->table, p->chain))
+               if (!p->xlate && !nft_chain_exists(h, p->table, p->chain))
                        xtables_error(OTHER_PROBLEM,
                                      "Chain '%s' does not exist", cs->jumpto);
 
-               if (!cs->target && strlen(cs->jumpto) > 0 &&
+               if (!p->xlate && !cs->target && strlen(cs->jumpto) > 0 &&
                    !nft_chain_exists(h, p->table, cs->jumpto))
                        xtables_error(PARAMETER_PROBLEM,
                                      "Chain '%s' does not exist", cs->jumpto);
        }
-       if (p->command == CMD_NEW_CHAIN &&
+       if (!p->xlate && p->command == CMD_NEW_CHAIN &&
            nft_chain_exists(h, p->table, p->chain))
                xtables_error(OTHER_PROBLEM, "Chain already exists");
 }