diff options
author | Phil Sutter <phil@nwl.cc> | 2018-07-19 18:31:57 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-07-19 23:04:01 +0200 |
commit | 1866625f0befbc04673017692813f48d084004ff (patch) | |
tree | afef4450d4ae51c3d1856eb9b82164c6ee15595c | |
parent | 05894576bf78e8f3ec4e816ffc908a2dbced0350 (diff) |
xtables: introduce rule_to_cs/clear_cs callbacks
This introduces callbacks in nft_family_ops for parsing an nftnl rule
into iptables_command_state and clearing it afterwards.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
-rw-r--r-- | iptables/nft-arp.c | 2 | ||||
-rw-r--r-- | iptables/nft-bridge.c | 4 | ||||
-rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
-rw-r--r-- | iptables/nft-shared.c | 5 | ||||
-rw-r--r-- | iptables/nft-shared.h | 4 |
6 files changed, 18 insertions, 1 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 06d86647..164c3971 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -667,6 +667,8 @@ struct nft_family_ops nft_family_ops_arp = { .save_firewall = NULL, .save_counters = NULL, .post_parse = NULL, + .rule_to_cs = nft_rule_to_arptables_command_state, + .clear_cs = NULL, .rule_find = nft_arp_rule_find, .parse_target = nft_arp_parse_target, }; diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 4b3c163b..3834d6dd 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -347,7 +347,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data) cs->target = t; } -static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r, +static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r, struct iptables_command_state *cs) { cs->eb.bitmask = EBT_NOPROTO; @@ -733,6 +733,8 @@ struct nft_family_ops nft_family_ops_bridge = { .save_firewall = NULL, .save_counters = NULL, .post_parse = NULL, + .rule_to_cs = nft_rule_to_ebtables_command_state, + .clear_cs = ebt_cs_clean, .rule_find = nft_bridge_rule_find, .xlate = nft_bridge_xlate, }; diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index bddd784c..36258c97 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -519,6 +519,8 @@ struct nft_family_ops nft_family_ops_ipv4 = { .proto_parse = nft_ipv4_proto_parse, .post_parse = nft_ipv4_post_parse, .parse_target = nft_ipv4_parse_target, + .rule_to_cs = nft_rule_to_iptables_command_state, + .clear_cs = nft_clear_iptables_command_state, .rule_find = nft_ipv4_rule_find, .xlate = nft_ipv4_xlate, }; diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 79c02e44..41926019 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -474,6 +474,8 @@ struct nft_family_ops nft_family_ops_ipv6 = { .proto_parse = nft_ipv6_proto_parse, .post_parse = nft_ipv6_post_parse, .parse_target = nft_ipv6_parse_target, + .rule_to_cs = nft_rule_to_iptables_command_state, + .clear_cs = nft_clear_iptables_command_state, .rule_find = nft_ipv6_rule_find, .xlate = nft_ipv6_xlate, }; diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 12c22a40..87d48bf6 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -626,6 +626,11 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, cs->jumpto = ""; } +void nft_clear_iptables_command_state(struct iptables_command_state *cs) +{ + xtables_rule_matches_free(&cs->matches); +} + void print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, bool basechain, uint32_t refs) diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h index 2ad1ae6b..8172c873 100644 --- a/iptables/nft-shared.h +++ b/iptables/nft-shared.h @@ -101,6 +101,9 @@ struct nft_family_ops { struct xtables_args *args); void (*parse_match)(struct xtables_match *m, void *data); void (*parse_target)(struct xtables_target *t, void *data); + void (*rule_to_cs)(const struct nftnl_rule *r, + struct iptables_command_state *cs); + void (*clear_cs)(struct iptables_command_state *cs); bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r, void *data); int (*xlate)(const void *data, struct xt_xlate *xl); @@ -144,6 +147,7 @@ void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters); void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e); void nft_rule_to_iptables_command_state(const struct nftnl_rule *r, struct iptables_command_state *cs); +void nft_clear_iptables_command_state(struct iptables_command_state *cs); void print_header(unsigned int format, const char *chain, const char *pol, const struct xt_counters *counters, bool basechain, uint32_t refs); |