Issues when parsing output from NFTables

[mheon]

Running on a system using nftables for firewalling (IPTables version iptables v1.8.0 (nf_tables)), go-iptables causes a slice out of bounds panic while trying to adjust some firewall rules.

Relevant error message (generated by CNI portmap plugin): https://paste.fedoraproject.org/paste/Lt73H2OSbAzJJoc5eNJqRQ

This is seemingly caused by https://github.com/containernetworking/plugins/blob/master/plugins/meta/portmap/chain.go#L80 returning a slice with fewer than 2 entries.

I'm told this is likely a result of an error parsing the output of nftables-backed IPTables which seems to have slightly different field arrangement.

[squeed]

Taking a look at this.

[squeed]

Ideally we switch List to use the output of iptables-save, which has a more stable output. Let's see if that breaks anything.

[squeed]

Really, we should move the whole library over to using iptables-save...

[squeed]

More immediately, when using iptables in standard (legacy) mode, iptables -S returns the exact output that would result in a chain, e.g.

$ iptables -t filter  -S foo1
-N foo1
-A foo1 -p tcp -m tcp --dport 1337 -j ACCEPT

However, when it is in nftables mode, the output includes the counters in iptables-save format:

$ iptables -t filter -S foo1
-N foo1
[0:0] -A foo1 -p tcp -m tcp --dport 1337 -j ACCEPT

So we just have to detect that and work around.

[erig0]

FWIW, I just posted a fix for the counters upstream.

edit: Applied upstream, ed30b9311d2b ("nft: don't print rule counters unless verbose")