xtables: Don't check all rules for being compatible

Commit f8e29a13fed8d ("xtables: avoid bogus 'is incompatible' warning")
fixed for compatibility checking to extend over all chains, not just the
relevant ones. This patch does the same for rules: Make sure only rules
belonging to the relevant table are being considered.

Note that comparing the rule's table name is sufficient here since the
table family is already considered when populating the rule cache.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index 77ad38bea5211f92a7ae86872b42cf0417a9fa19..61bed525489072e7e937cac492f110a324b9d686 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3219,9 +3219,15 @@ bool nft_is_table_compatible(struct nft_handle *h, const char *tablename)
 
        rule = nftnl_rule_list_iter_next(iter);
        while (rule != NULL) {
+               const char *table = nftnl_rule_get_str(rule, NFTNL_RULE_TABLE);
+
+               if (strcmp(table, tablename))
+                       goto next_rule;
+
                ret = nft_is_rule_compatible(rule);
                if (ret != 0)
                        break;
+next_rule:
                rule = nftnl_rule_list_iter_next(iter);
        }