xtables-compat: skip unsupported tables

Instead of not listing anything at all if an unknown table name
exists, just skip them.  Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.

Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index a73c72bda7be3e3f3ca483de8909d5aa883bf492..7c1e19d60c077a018028ef86aaf095723dfca1fc 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2842,49 +2842,16 @@ next:
        return ret;
 }
 
-static int nft_is_table_compatible(const char *name)
+bool nft_is_table_compatible(struct nft_handle *h, const char *name)
 {
        int i;
 
        for (i = 0; i < TABLES_MAX; i++) {
-               if (strcmp(xtables_ipv4[i].name, name) == 0)
-                       return 0;
-       }
-
-       return 1;
-}
-
-static int nft_are_tables_compatible(struct nft_handle *h)
-{
-       struct nftnl_table_list *list;
-       struct nftnl_table_list_iter *iter;
-       struct nftnl_table *table;
-       int ret = 0;
-
-       list = nftnl_table_list_get(h);
-       if (list == NULL)
-               return -1;
-
-       iter = nftnl_table_list_iter_create(list);
-       if (iter == NULL)
-               return -1;
-
-       table = nftnl_table_list_iter_next(iter);
-       while (table != NULL) {
-               const char *name = nftnl_table_get(table, NFTNL_TABLE_NAME);
-
-               if (nft_is_table_compatible(name) == 0) {
-                       table = nftnl_table_list_iter_next(iter);
-                       continue;
-               }
-
-               ret = 1;
-               break;
+               if (strcmp(h->tables[i].name, name) == 0)
+                       return true;
        }
 
-       nftnl_table_list_iter_destroy(iter);
-       nftnl_table_list_free(list);
-       return ret;
+       return false;
 }
 
 int nft_is_ruleset_compatible(struct nft_handle *h)
@@ -2895,10 +2862,6 @@ int nft_is_ruleset_compatible(struct nft_handle *h)
        struct nftnl_rule *rule;
        int ret = 0;
 
-       ret = nft_are_tables_compatible(h);
-       if (ret != 0)
-               return ret;
-
        ret = nft_are_chains_compatible(h);
        if (ret != 0)
                return ret;

diff --git a/iptables/nft.h b/iptables/nft.h
index 41265930ea15c79d1cef5d5405154d23fee527bd..310cedeca73072cdd0fd38cbdb4cda5f30423abb 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -183,5 +183,6 @@ int nft_arp_rule_insert(struct nft_handle *h, const char *chain,
 void nft_rule_to_arpt_entry(struct nftnl_rule *r, struct arpt_entry *fw);
 
 int nft_is_ruleset_compatible(struct nft_handle *h);
+bool nft_is_table_compatible(struct nft_handle *h, const char *name);
 
 #endif

diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 5b498b0433242d6b0161efacff53c4d701b81431..893b2b93116f876c8c344e2552279068836fd441 100644 (file)
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -52,6 +52,11 @@ do_output(struct nft_handle *h, const char *tablename, bool counters)
                return 0;
        }
 
+       if (!nft_is_table_compatible(h, tablename)) {
+               printf("# Table `%s' is incompatible, use 'nft' tool.\n", tablename);
+               return 1;
+       }
+
        chain_list = nft_chain_dump(h);
 
        time_t now = time(NULL);
@@ -160,7 +165,8 @@ xtables_save_main(int family, const char *progname, int argc, char *argv[])
                exit(1);
        }
 
-       if (nft_is_ruleset_compatible(&h) == 1) {
+       ret = nft_is_ruleset_compatible(&h);
+       if (ret) {
                printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
                exit(EXIT_FAILURE);
        }

diff --git a/iptables/xtables.c b/iptables/xtables.c
index ac1132541dddafc1b2c6387d703a288b142ea39d..5410952a385ef33aa296f8f03ce87b82dc9687aa 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1225,7 +1225,8 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
        case CMD_LIST:
        case CMD_LIST|CMD_ZERO:
        case CMD_LIST|CMD_ZERO_NUM:
-               if (nft_is_ruleset_compatible(h) == 1) {
+               ret = nft_is_ruleset_compatible(h);
+               if (ret) {
                        printf("ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft.\n");
                        exit(EXIT_FAILURE);
                }