Just like with 'iptables-nft -L', we have to make sure the standard set of chains exist for a given table when listing it using '-S' flag.
The added code was just copied over from nft_rule_list() which does the same. Signed-off-by: Phil Sutter <[email protected]> --- iptables/nft.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/iptables/nft.c b/iptables/nft.c index 8c0746dd94b87..8a84998b961a7 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -2441,6 +2441,23 @@ int nft_rule_list_save(struct nft_handle *h, const char *chain, struct nftnl_chain *c; int ret = 1; + /* If built-in chains don't exist for this table, create them */ + if (nft_xtables_config_load(h, XTABLES_CONFIG_DEFAULT, 0) < 0) { + nft_xt_builtin_init(h, table); + /* Force table and chain creation, otherwise first iptables -L + * lists no table/chains. + */ + if (!list_empty(&h->obj_list)) { + nft_commit(h); + flush_chain_cache(h, NULL); + } + } + + if (!nft_is_table_compatible(h, table)) { + xtables_error(OTHER_PROBLEM, "table `%s' is incompatible, use 'nft' tool.\n", table); + return 0; + } + list = nft_chain_dump(h); /* Dump policies and custom chains first */ -- 2.18.0
