2 files changed, 22 insertions, 0 deletions

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5385bf32..5f40dc05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -97,10 +97,24 @@ enum nft_rule_attributes {
 	NFTA_RULE_HANDLE,
 	NFTA_RULE_EXPRESSIONS,
 	NFTA_RULE_FLAGS,
+	NFTA_RULE_COMPAT,
 	__NFTA_RULE_MAX
 };
 #define NFTA_RULE_MAX		(__NFTA_RULE_MAX - 1)
 
+enum nft_rule_compat_flags {
+	NFT_RULE_COMPAT_F_INV	= (1 << 1),
+	NFT_RULE_COMPAT_F_MASK	= NFT_RULE_COMPAT_F_INV,
+};
+
+enum nft_rule_compat_attributes {
+	NFTA_RULE_COMPAT_UNSPEC,
+	NFTA_RULE_COMPAT_PROTO,
+	NFTA_RULE_COMPAT_FLAGS,
+	__NFTA_RULE_COMPAT_MAX
+};
+#define NFTA_RULE_COMPAT_MAX	(__NFTA_RULE_COMPAT_MAX - 1)
+
 /**
  * enum nft_set_flags - nf_tables set flags
  *
diff --git a/iptables/nft.c b/iptables/nft.c
index f42e4377..c3d5d610 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -800,6 +800,13 @@ static void add_addr(struct nft_rule *r, int offset,
 	add_cmp_ptr(r, op, data, len);
 }
 
+static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+{
+	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
+	nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,
+			      inv ? NFT_RULE_COMPAT_F_INV : 0);
+}
+
 static void add_proto(struct nft_rule *r, int offset, size_t len,
 		      uint32_t proto, int invflags)
 {
@@ -813,6 +820,7 @@ static void add_proto(struct nft_rule *r, int offset, size_t len,
 		op = NFT_CMP_EQ;
 
 	add_cmp_u32(r, proto, op);
+	add_compat(r, proto, invflags & XT_INV_PROTO);
 }
 
 int