diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-09-18 14:57:38 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:47 +0100 |
commit | c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7 (patch) | |
tree | 2c55030fb02a9a7fefe62dbebdf6626ce4be11ba /iptables/nft-ipv4.c | |
parent | e2a2c72277b49ac611809b3978365ab3010e1597 (diff) |
nft: consolidate nft_rule_new to support ARP
This patch removes nft_arp_rule_new, which almost a copy and paste
of the original nft_rule_new. This patch generalizes the
infrastructure to support ARP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 2142a2e6..3be801d3 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -22,11 +22,13 @@ #include <linux/netfilter/nf_tables.h> +#include "nft.h" #include "nft-shared.h" static int nft_ipv4_add(struct nft_rule *r, void *data) { struct iptables_command_state *cs = data; + struct xtables_rule_match *matchp; uint32_t op; if (cs->fw.ip.iniface[0] != '\0') @@ -63,7 +65,18 @@ static int nft_ipv4_add(struct nft_rule *r, void *data) add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); - return cs->fw.ip.flags; + for (matchp = cs->matches; matchp; matchp = matchp->next) { + if (add_match(r, matchp->match->m) < 0) + break; + } + + /* Counters need to me added before the target, otherwise they are + * increased for each rule because of the way nf_tables works. + */ + if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) + return -1; + + return add_action(r, cs, cs->fw.ip.flags); } static bool nft_ipv4_is_same(const void *data_a, |