From 63123e24c1b957cfabcfa7708994b0d61447724e Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Sun, 30 Dec 2018 20:06:10 +0100
Subject: [PATCH] xtables: Set errno in nft_rule_check() if chain not found
With this, the explicit check for chain existence can be removed from
xtables.c since all related commands do this now.
Note that this effectively changes the error message printed by
iptables-nft when given a non-existing chain, but the new error
message(s) conform with those printed by legacy iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 41358d474357a39d616302c03cd7f943e19969a2)
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
iptables/nft.c | 12 +++++++-----
iptables/xtables.c | 4 ----
2 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index dafb879ebd6f0..1ce1ecdd276be 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2007,17 +2007,19 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
c = nft_chain_find(h, table, chain);
if (!c)
- return 0;
+ goto fail_enoent;
r = nft_rule_find(h, c, data, -1);
- if (r == NULL) {
- errno = ENOENT;
- return 0;
- }
+ if (r == NULL)
+ goto fail_enoent;
+
if (verbose)
h->ops->print_rule(r, 0, FMT_PRINT_RULE);
return 1;
+fail_enoent:
+ errno = ENOENT;
+ return 0;
}
int nft_rule_delete(struct nft_handle *h, const char *chain,
diff --git a/iptables/xtables.c b/iptables/xtables.c
index 24a6e234bcf4b..da11e8cc159a0 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1064,10 +1064,6 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
p->chain);
}
- if (!p->xlate && !nft_chain_exists(h, p->table, p->chain))
- xtables_error(OTHER_PROBLEM,
- "Chain '%s' does not exist", p->chain);
-
if (!p->xlate && !cs->target && strlen(cs->jumpto) > 0 &&
!nft_chain_exists(h, p->table, cs->jumpto))
xtables_error(PARAMETER_PROBLEM,
--
2.20.1