nft-shared: Lookup matches in iptables_command_state

Some matches may turn into multiple nft statements (naturally or via translation). Such statements must parse into a single extension again in order to rebuild the rule as it was. Introduce nft_find_match_in_cs() to iterate through the lists and drop tcp/udp port match caching in struct nft_xt_ctx which is not needed anymore. Note: Match reuse is not enabled unconditionally for all matches, because iptables supports having multiple instances of the same extension. Signed-off-by: Phil Sutter <phil@nwl.cc>
author: Phil Sutter <phil@nwl.cc> 2023-02-16 21:55:54 +0100
committer: Phil Sutter <phil@nwl.cc> 2023-02-17 18:18:48 +0100
commit: f5993955ab1d1ef34a0729af2eb58e1eb4f084da (patch)
tree: eda1d3e7c130bfa1703a00baaf1abd1796a3fe18 /iptables/nft-shared.h
parent: aa72fad69a7709f3610f1adc4794885c79788d08 (diff)
1 files changed, 0 insertions, 4 deletions
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 07d39131..b8bc1a6c 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -76,10 +76,6 @@ struct nft_xt_ctx {
 	struct nft_handle *h;
 	uint32_t flags;
 	const char *table;
-	union {
-		struct xt_tcp *tcp;
-		struct xt_udp *udp;
-	} tcpudp;
 
 	struct nft_xt_ctx_reg regs[1 + 16];
author	Phil Sutter <phil@nwl.cc>	2023-02-16 21:55:54 +0100
committer	Phil Sutter <phil@nwl.cc>	2023-02-17 18:18:48 +0100
commit	f5993955ab1d1ef34a0729af2eb58e1eb4f084da (patch)
tree	eda1d3e7c130bfa1703a00baaf1abd1796a3fe18 /iptables/nft-shared.h
parent	aa72fad69a7709f3610f1adc4794885c79788d08 (diff)