6 files changed, 18 insertions, 1 deletions

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 06d86647..164c3971 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -667,6 +667,8 @@ struct nft_family_ops nft_family_ops_arp = {
 	.save_firewall		= NULL,
 	.save_counters		= NULL,
 	.post_parse		= NULL,
+	.rule_to_cs		= nft_rule_to_arptables_command_state,
+	.clear_cs		= NULL,
 	.rule_find		= nft_arp_rule_find,
 	.parse_target		= nft_arp_parse_target,
 };
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 4b3c163b..3834d6dd 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -347,7 +347,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
 	cs->target = t;
 }
 
-static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
+static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,
 					       struct iptables_command_state *cs)
 {
 	cs->eb.bitmask = EBT_NOPROTO;
@@ -733,6 +733,8 @@ struct nft_family_ops nft_family_ops_bridge = {
 	.save_firewall		= NULL,
 	.save_counters		= NULL,
 	.post_parse		= NULL,
+	.rule_to_cs		= nft_rule_to_ebtables_command_state,
+	.clear_cs		= ebt_cs_clean,
 	.rule_find		= nft_bridge_rule_find,
 	.xlate			= nft_bridge_xlate,
 };
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index bddd784c..36258c97 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -519,6 +519,8 @@ struct nft_family_ops nft_family_ops_ipv4 = {
 	.proto_parse		= nft_ipv4_proto_parse,
 	.post_parse		= nft_ipv4_post_parse,
 	.parse_target		= nft_ipv4_parse_target,
+	.rule_to_cs		= nft_rule_to_iptables_command_state,
+	.clear_cs		= nft_clear_iptables_command_state,
 	.rule_find		= nft_ipv4_rule_find,
 	.xlate			= nft_ipv4_xlate,
 };
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 79c02e44..41926019 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -474,6 +474,8 @@ struct nft_family_ops nft_family_ops_ipv6 = {
 	.proto_parse		= nft_ipv6_proto_parse,
 	.post_parse		= nft_ipv6_post_parse,
 	.parse_target		= nft_ipv6_parse_target,
+	.rule_to_cs		= nft_rule_to_iptables_command_state,
+	.clear_cs		= nft_clear_iptables_command_state,
 	.rule_find		= nft_ipv6_rule_find,
 	.xlate			= nft_ipv6_xlate,
 };
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 12c22a40..87d48bf6 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -626,6 +626,11 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 		cs->jumpto = "";
 }
 
+void nft_clear_iptables_command_state(struct iptables_command_state *cs)
+{
+	xtables_rule_matches_free(&cs->matches);
+}
+
 void print_header(unsigned int format, const char *chain, const char *pol,
 		  const struct xt_counters *counters, bool basechain,
 		  uint32_t refs)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 2ad1ae6b..8172c873 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -101,6 +101,9 @@ struct nft_family_ops {
 			   struct xtables_args *args);
 	void (*parse_match)(struct xtables_match *m, void *data);
 	void (*parse_target)(struct xtables_target *t, void *data);
+	void (*rule_to_cs)(const struct nftnl_rule *r,
+			   struct iptables_command_state *cs);
+	void (*clear_cs)(struct iptables_command_state *cs);
 	bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
 			  void *data);
 	int (*xlate)(const void *data, struct xt_xlate *xl);
@@ -144,6 +147,7 @@ void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters);
 void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
 void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 					struct iptables_command_state *cs);
+void nft_clear_iptables_command_state(struct iptables_command_state *cs);
 void print_header(unsigned int format, const char *chain, const char *pol,
 		  const struct xt_counters *counters, bool basechain,
 		  uint32_t refs);