when using custom nft tables + iptables-nft, iptables-nft -L
may fail with
iptables v1.8.0 (nf_tables): table `filter' is incompatible, use 'nft' tool.
even if filter table is compatible.
Problem is that the chain cache tracks ALL chains.
The "old" compat-check only walked chains in the table to checked
(filter in this case), now we will see all other
chains including base chains of another table.
It seems better to extend the chain cache long-term to track chains
per table instead, but for now skip the foreign ones.
Reported-by: Eric Garver <e@erig.me>
Fixes: 01e25e264a4c4 ("xtables: add chain cache")
Signed-off-by: Florian Westphal <fw@strlen.de>
chain = nftnl_chain_list_iter_next(iter);
while (chain != NULL) {
- if (!nft_chain_builtin(chain))
+ const char *chain_table;
+
+ chain_table = nftnl_chain_get_str(chain, NFTNL_CHAIN_TABLE);
+
+ if (strcmp(chain_table, tablename) ||
+ !nft_chain_builtin(chain))
goto next;
ret = nft_is_chain_compatible(h, chain);
--- /dev/null
+#!/bin/sh
+
+# test case for bug fixed in
+# commit 873c5d5d293991ee3c06aed2b1dfc5764872582f (HEAD -> master)
+# xtables: avoid bogus 'is incompatible' warning
+
+case "$XT_MULTI" in
+*/xtables-nft-multi)
+ nft -v >/dev/null || exit 0
+ nft 'add table ip nft-test; add chain ip nft-test foobar { type filter hook forward priority 42; }' || exit 1
+ nft 'add table ip6 nft-test; add chain ip6 nft-test foobar { type filter hook forward priority 42; }' || exit 1
+
+ $XT_MULTI iptables -L -t filter || exit 1
+ $XT_MULTI ip6tables -L -t filter || exit 1
+ ;;
+*)
+ echo skip $XT_MULTI
+ ;;
+esac
+
+exit 0
projects / thirdparty / iptables.git / commitdiff
