| Message ID | 20170308154325.9121-1-phil@nwl.cc |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Wed, Mar 08, 2017 at 04:43:25PM +0100, Phil Sutter wrote: > This originally came up when accidentally calling iptables-translate as > unprivileged user - nft_compatible_revision() then fails every time, > making the translator fall back to using revision 0 only which often > leads to failed translations (due to missing xlate callback). > > The bottom line is there is no need to check what revision of a given > iptables match the kernel supports when it is only to be translated into > an nftables equivalent. So just assign a dummy callback returning good > for any revision being asked for. Applied, thanks a lot Phil. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 153bd6503c59b..76ca666b79f96 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -379,6 +379,14 @@ static int xlate_chain_set(struct nft_handle *h, const char *table, return 1; } +static int dummy_compat_rev(const char *name, uint8_t rev, int opt) +{ + /* Avoid querying the kernel - it's not needed when just translating + * rules and not even possible when running as unprivileged user. + */ + return 1; +} + static struct nft_xt_restore_cb cb_xlate = { .table_new = xlate_table_new, .chain_set = xlate_chain_set, @@ -398,6 +406,7 @@ static int xtables_xlate_main(int family, const char *progname, int argc, }; xtables_globals.program_name = progname; + xtables_globals.compat_rev = dummy_compat_rev; ret = xtables_init_all(&xtables_globals, family); if (ret < 0) { fprintf(stderr, "%s/%s Failed to initialize xtables\n", @@ -440,6 +449,7 @@ static int xtables_restore_xlate_main(int family, const char *progname, int c; xtables_globals.program_name = progname; + xtables_globals.compat_rev = dummy_compat_rev; ret = xtables_init_all(&xtables_globals, family); if (ret < 0) { fprintf(stderr, "%s/%s Failed to initialize xtables\n",
This originally came up when accidentally calling iptables-translate as unprivileged user - nft_compatible_revision() then fails every time, making the translator fall back to using revision 0 only which often leads to failed translations (due to missing xlate callback). The bottom line is there is no need to check what revision of a given iptables match the kernel supports when it is only to be translated into an nftables equivalent. So just assign a dummy callback returning good for any revision being asked for. Signed-off-by: Phil Sutter <phil@nwl.cc> --- iptables/xtables-translate.c | 10 ++++++++++ 1 file changed, 10 insertions(+)