diff options
author | Phil Sutter <phil@nwl.cc> | 2023-05-05 17:39:08 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
commit | ca709b5784c982de12d6eab361cfc9c900aec4c7 (patch) | |
tree | f9050ead4c83cffa9f933cb988ad1cba330d5163 /iptables | |
parent | 402b9b3c07c8192be3bfc0191fbf56401e26a003 (diff) |
nft: Introduce and use bool nft_handle::compat
If set, create rules using compat expressions where possible and disable
the bitwise expression avoidance introduced in 323259001d617 ("nft:
Optimize class-based IP prefix matches").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-shared.c | 2 | ||||
-rw-r--r-- | iptables/nft.c | 10 | ||||
-rw-r--r-- | iptables/nft.h | 1 |
3 files changed, 8 insertions, 5 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 34ca9d16..5e0ca00e 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r, for (i = 0; i < len; i++) { if (m[i] != 0xff) { - bitwise = m[i] != 0; + bitwise = h->compat || m[i] != 0; break; } } diff --git a/iptables/nft.c b/iptables/nft.c index 1fc12b0c..09ff9cf1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1476,10 +1476,12 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, case NFT_COMPAT_RULE_APPEND: case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_REPLACE: - if (!strcmp(m->u.user.name, "limit")) - return add_nft_limit(r, m); - else if (!strcmp(m->u.user.name, "among")) + if (!strcmp(m->u.user.name, "among")) return add_nft_among(h, r, m); + else if (h->compat) + break; + else if (!strcmp(m->u.user.name, "limit")) + return add_nft_limit(r, m); else if (!strcmp(m->u.user.name, "udp")) return add_nft_udp(h, r, m); else if (!strcmp(m->u.user.name, "tcp")) @@ -1544,7 +1546,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r, struct nftnl_expr *expr; int ret; - if (strcmp(t->u.user.name, "TRACE") == 0) + if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0) return add_meta_nftrace(r); expr = nftnl_expr_alloc("target"); diff --git a/iptables/nft.h b/iptables/nft.h index a89aff0a..fb9fc81e 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -111,6 +111,7 @@ struct nft_handle { struct list_head cmd_list; bool cache_init; int verbose; + bool compat; /* meta data, for error reporting */ struct { |