diff options
author | Phil Sutter <phil@nwl.cc> | 2018-08-10 17:07:35 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-08-16 19:43:47 +0200 |
commit | 5de8dcf75941c533f2dae8a40bf8b6128b8287f3 (patch) | |
tree | 3d793f5755ce0af3ee3b2f43e82b36dd364324a6 /extensions/libebt_nflog.c | |
parent | 514de4801b731db471298f4508f9534bcefec006 (diff) |
xtables: Use native nftables limit expression
The original issue was that for a rule with limit match added by
ebtables-nft, the kernel might attempt to use xt_limit instead of
ebt_limit (and fail due to that). This happens if xt_limit.ko is loaded
but ebt_limit.ko is not, because the kernel prefers the
family-independent variants.
There are multiple ways to avoid above issue, but using neither xt_limit
nor ebt_limit with nft-variants should be the most effective one.
Therefore translate a created limit match in userspace into native
nftables code before sending it to kernel and do the reverse translation
when listing rules. Apart from the translation routines, this requires
slight adjustment of nft_is_expr_compatible() since neither xt_limit nor
ebt_limit support byte-based limits or inverted limit match.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libebt_nflog.c')
0 files changed, 0 insertions, 0 deletions