xtables-compat: only validate the xtables builtin tables

This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.

Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft.c b/iptables/nft.c
index 7c1e19d60c077a018028ef86aaf095723dfca1fc..b3d9646d5d7c4b63dfd3848a7bfd1292a2140573 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2827,7 +2827,10 @@ static int nft_are_chains_compatible(struct nft_handle *h)
 
        chain = nftnl_chain_list_iter_next(iter);
        while (chain != NULL) {
-               if (!nft_chain_builtin(chain))
+               const char *table = nftnl_chain_get(chain, NFTNL_CHAIN_TABLE);
+
+               if (!nft_chain_builtin(chain) ||
+                   !nft_is_table_compatible(h, table))
                        goto next;
 
                ret = nft_is_chain_compatible(h, chain);
@@ -2876,10 +2879,14 @@ int nft_is_ruleset_compatible(struct nft_handle *h)
 
        rule = nftnl_rule_list_iter_next(iter);
        while (rule != NULL) {
+               if (!nft_is_table_compatible(h,
+                    nftnl_rule_get_str(rule, NFTA_RULE_TABLE)))
+                       goto next;
+
                ret = nft_is_rule_compatible(rule);
                if (ret != 0)
                        break;
-
+next:
                rule = nftnl_rule_list_iter_next(iter);
        }