[iptables PATCH] xtables-translate: Return non-zero if translation fails

[iptables PATCH] xtables-translate: Return non-zero if translation fails

[Phil Sutter]

Untranslated parts in output are easily overlooked and also don't disrupt
piping into nft (which is a bad idea to begin with), so make a little
noise if things go sideways:

| # iptables-translate -A FORWARD -m recent --set
| nft # -A FORWARD -m recent --set
| Translation not (fully) implemented

| # cat /tmp/input.ipt
| *filter
| -A FORWARD -s 1.2.3.4
| -A FORWARD -m recent --set
| COMMIT
| # iptables-restore-translate -f /tmp/input.ipt
| # Translated by iptables-restore-translate v1.8.13 on Tue Mar 10 17:29:17 2026
| add table ip filter
| add rule ip filter FORWARD ip saddr 1.2.3.4 counter
| # -t filter -A FORWARD -m recent --set
| iptables-translate-restore: line 3 failed

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/xtables-translate.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 3d8617f05b120..74cc8efffc0eb 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -297,8 +297,8 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 
 	switch (p.command) {
 	case CMD_APPEND:
-		ret = 1;
-		if (!xlate(h, &p, &cs, &args, true, nft_rule_xlate_add))
+		ret = xlate(h, &p, &cs, &args, true, nft_rule_xlate_add);
+		if (!ret)
 			print_ipt_cmd(argc, argv);
 		break;
 	case CMD_DELETE:
@@ -310,8 +310,8 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
 	case CMD_REPLACE:
 		break;
 	case CMD_INSERT:
-		ret = 1;
-		if (!xlate(h, &p, &cs, &args, false, nft_rule_xlate_add))
+		ret = xlate(h, &p, &cs, &args, false, nft_rule_xlate_add);
+		if (!ret)
 			print_ipt_cmd(argc, argv);
 		break;
 	case CMD_FLUSH:
@@ -558,7 +558,7 @@ static int xtables_xlate_main(int family, const char *progname, int argc,
 
 	ret = do_command_xlate(&h, argc, argv, &table, false);
 	if (!ret)
-		fprintf(stderr, "Translation not implemented\n");
+		fprintf(stderr, "Translation not (fully) implemented\n");
 
 	nft_fini(&h);
 	xtables_fini();
-- 
2.51.0

Re: [iptables PATCH] xtables-translate: Return non-zero if translation fails

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> Untranslated parts in output are easily overlooked and also don't disrupt
> piping into nft (which is a bad idea to begin with), so make a little
> noise if things go sideways:

Makes sense to me.

Acked-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH] xtables-translate: Return non-zero if translation fails

[Phil Sutter]

On Tue, Mar 10, 2026 at 06:37:14PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Untranslated parts in output are easily overlooked and also don't disrupt
> > piping into nft (which is a bad idea to begin with), so make a little
> > noise if things go sideways:
> 
> Makes sense to me.
> 
> Acked-by: Florian Westphal <fw@strlen.de>

There is a downside: Previously, you could check "translatability" of an
entire dump. With my patch, you have to drop/comment out problematic
rules in order to continue.

It is not exactly a trivial change but maybe worth the effort to
implement a "keep going" flag, what do you think?

Cheers, Phil

Re: [iptables PATCH] xtables-translate: Return non-zero if translation fails

[Phil Sutter]

On Tue, Mar 10, 2026 at 06:37:14PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Untranslated parts in output are easily overlooked and also don't disrupt
> > piping into nft (which is a bad idea to begin with), so make a little
> > noise if things go sideways:
> 
> Makes sense to me.
> 
> Acked-by: Florian Westphal <fw@strlen.de>

Patch applied, thanks!