Warn for tables with compat expressions in rules

While being able to "look inside" compat expressions using nft is a nice
feature, it is also (yet another) pitfall for unaware users, deceiving
them into assuming interchangeability (or at least compatibility)
between iptables-nft and nft.

In reality, which involves 'nft list ruleset | nft -f -', any correctly
translated compat expressions will turn into native nftables ones not
understood by (the version of) iptables-nft which created them in the
first place. Other compat expressions will vanish, potentially
compromising the firewall ruleset.

Emit a warning (as comment) to give users a chance to stop and
reconsider before shooting their own foot.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/include/rule.h b/include/rule.h
index ad9f9127372286a92e7bad55b2d15bf28dfd7b13..00a1bac5a7737b8b432e6b1d39432c60e1680fec 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -169,6 +169,7 @@ struct table {
        unsigned int            refcnt;
        uint32_t                owner;
        const char              *comment;
+       bool                    has_xt_stmts;
 };
 
 extern struct table *table_alloc(void);

diff --git a/src/rule.c b/src/rule.c
index d1ee6c2ee067c322616e4cc2caae8d686956bb9d..1402210acd8d563c4d970ffda79bf2cf84c4429d 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1233,6 +1233,11 @@ static void table_print(const struct table *table, struct output_ctx *octx)
        const char *delim = "";
        const char *family = family2str(table->handle.family);
 
+       if (table->has_xt_stmts)
+               fprintf(octx->error_fp,
+                       "# Warning: table %s %s is managed by iptables-nft, do not touch!\n",
+                       family, table->handle.table.name);
+
        nft_print(octx, "table %s %s {", family, table->handle.table.name);
        if (nft_output_handle(octx) || table->flags & TABLE_F_OWNER)
                nft_print(octx, " #");
@@ -2387,9 +2392,14 @@ static int do_list_tables(struct netlink_ctx *ctx, struct cmd *cmd)
 static void table_print_declaration(struct table *table,
                                    struct output_ctx *octx)
 {
-       nft_print(octx, "table %s %s {\n",
-                 family2str(table->handle.family),
-                 table->handle.table.name);
+       const char *family = family2str(table->handle.family);
+
+       if (table->has_xt_stmts)
+               fprintf(octx->error_fp,
+                       "# Warning: table %s %s is managed by iptables-nft, do not touch!\n",
+                       family, table->handle.table.name);
+
+       nft_print(octx, "table %s %s {\n", family, table->handle.table.name);
 }
 
 static int do_list_chain(struct netlink_ctx *ctx, struct cmd *cmd,

diff --git a/src/xt.c b/src/xt.c
index 789de9926261b6cbec1b757663b2e3e180793409..a54173522c229b73cb879a428c1abc2af8211199 100644 (file)
--- a/src/xt.c
+++ b/src/xt.c
@@ -238,6 +238,7 @@ void netlink_parse_match(struct netlink_parse_ctx *ctx,
        stmt->xt.name = strdup(name);
        stmt->xt.type = NFT_XT_MATCH;
 #endif
+       ctx->table->has_xt_stmts = true;
        rule_stmt_append(ctx->rule, stmt);
 }
 
@@ -283,6 +284,7 @@ void netlink_parse_target(struct netlink_parse_ctx *ctx,
        stmt->xt.name = strdup(name);
        stmt->xt.type = NFT_XT_TARGET;
 #endif
+       ctx->table->has_xt_stmts = true;
        rule_stmt_append(ctx->rule, stmt);
 }