path: root/iptables
diff options
authorPhil Sutter <>2020-09-23 19:13:45 +0200
committerPhil Sutter <>2020-12-21 18:33:21 +0100
commit694612adf87fb614f16a2b678f32745d5c9d7876 (patch)
tree60a8e6f33bdd369e45463ba5c11a45a7234ad867 /iptables
parent98ed6f6fc6d97663a33de67afff60196052880b1 (diff)
nft: Fix selective chain compatibility checks
Since commit 80251bc2a56ed ("nft: remove cache build calls"), 'chain' parameter passed to nft_chain_list_get() is no longer effective. Before, it was used to fetch only that single chain from kernel when populating the cache. So the returned list of chains for which compatibility checks are done would contain only that single chain. Re-establish the single chain compat checking by introducing a dedicated code path to nft_is_chain_compatible() doing so. Fixes: 80251bc2a56ed ("nft: remove cache build calls") Signed-off-by: Phil Sutter <>
Diffstat (limited to 'iptables')
1 files changed, 6 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 411e2597..24e49db4 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -3456,6 +3456,12 @@ bool nft_is_table_compatible(struct nft_handle *h,
struct nftnl_chain_list *clist;
+ if (chain) {
+ struct nftnl_chain *c = nft_chain_find(h, table, chain);
+ return c && !nft_is_chain_compatible(c, h);
+ }
clist = nft_chain_list_get(h, table, chain);
if (clist == NULL)
return false;