xtables-translate: Avoid querying the kernel

This originally came up when accidentally calling iptables-translate as
unprivileged user - nft_compatible_revision() then fails every time,
making the translator fall back to using revision 0 only which often
leads to failed translations (due to missing xlate callback).

The bottom line is there is no need to check what revision of a given
iptables match the kernel supports when it is only to be translated into
an nftables equivalent. So just assign a dummy callback returning good
for any revision being asked for.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 153bd6503c59be5efb5ec59f40ef4df32f1f1294..76ca666b79f9622666d0a5c77cf60c83389eff8a 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -379,6 +379,14 @@ static int xlate_chain_set(struct nft_handle *h, const char *table,
        return 1;
 }
 
+static int dummy_compat_rev(const char *name, uint8_t rev, int opt)
+{
+       /* Avoid querying the kernel - it's not needed when just translating
+        * rules and not even possible when running as unprivileged user.
+        */
+       return 1;
+}
+
 static struct nft_xt_restore_cb cb_xlate = {
        .table_new      = xlate_table_new,
        .chain_set      = xlate_chain_set,
@@ -398,6 +406,7 @@ static int xtables_xlate_main(int family, const char *progname, int argc,
        };
 
        xtables_globals.program_name = progname;
+       xtables_globals.compat_rev = dummy_compat_rev;
        ret = xtables_init_all(&xtables_globals, family);
        if (ret < 0) {
                fprintf(stderr, "%s/%s Failed to initialize xtables\n",
@@ -440,6 +449,7 @@ static int xtables_restore_xlate_main(int family, const char *progname,
        int c;
 
        xtables_globals.program_name = progname;
+       xtables_globals.compat_rev = dummy_compat_rev;
        ret = xtables_init_all(&xtables_globals, family);
        if (ret < 0) {
                fprintf(stderr, "%s/%s Failed to initialize xtables\n",