From: Florian Westphal <fw@strlen.de>
Date: Sat, 7 Apr 2018 21:16:04 +0000 (+0200)
Subject: xtables-compat: only validate the xtables builtin tables
X-Git-Tag: v1.8.0~134
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98fc8ce672049f4407b5abe7c87745494443c831;p=thirdparty%2Fiptables.git

xtables-compat: only validate the xtables builtin tables

This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.

Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/iptables/nft.c b/iptables/nft.c
index 7c1e19d6..b3d9646d 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2827,7 +2827,10 @@ static int nft_are_chains_compatible(struct nft_handle *h)
 
 	chain = nftnl_chain_list_iter_next(iter);
 	while (chain != NULL) {
-		if (!nft_chain_builtin(chain))
+		const char *table = nftnl_chain_get(chain, NFTNL_CHAIN_TABLE);
+
+		if (!nft_chain_builtin(chain) ||
+		    !nft_is_table_compatible(h, table))
 			goto next;
 
 		ret = nft_is_chain_compatible(h, chain);
@@ -2876,10 +2879,14 @@ int nft_is_ruleset_compatible(struct nft_handle *h)
 
 	rule = nftnl_rule_list_iter_next(iter);
 	while (rule != NULL) {
+		if (!nft_is_table_compatible(h,
+		     nftnl_rule_get_str(rule, NFTA_RULE_TABLE)))
+			goto next;
+
 		ret = nft_is_rule_compatible(rule);
 		if (ret != 0)
 			break;
-
+next:
 		rule = nftnl_rule_list_iter_next(iter);
 	}