| Message ID | 20201210130636.26379-2-phil@nwl.cc |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | nft: Sorted chain listing et al. | expand |
diff --git a/iptables/nft.c b/iptables/nft.c index 411e2597205c9..24e49db4ab919 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -3456,6 +3456,12 @@ bool nft_is_table_compatible(struct nft_handle *h, { struct nftnl_chain_list *clist; + if (chain) { + struct nftnl_chain *c = nft_chain_find(h, table, chain); + + return c && !nft_is_chain_compatible(c, h); + } + clist = nft_chain_list_get(h, table, chain); if (clist == NULL) return false;
Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain' parameter passed to nft_chain_list_get() is no longer effective. Before, it was used to fetch only that single chain from kernel when populating the cache. So the returned list of chains for which compatibility checks are done would contain only that single chain. Re-establish the single chain compat checking by introducing a dedicated code path to nft_is_chain_compatible() doing so. Fixes: 80251bc2a56ed ("nft: remove cache build calls") Signed-off-by: Phil Sutter <phil@nwl.cc> --- iptables/nft.c | 6 ++++++ 1 file changed, 6 insertions(+)