diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-08-15 13:47:28 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-09-01 13:15:03 +0200 |
| commit | 35ff97e9aca8cd301ff9b9a95b0a72de1aeb700b (patch) | |
| tree | 5f4b36dfccf29e4290e48b3a7dfe6bc7dab5dbf2 /iptables/nft.c | |
| parent | 63e4a64e943be64a7e0486838071b981074e696d (diff) | |
Revert --compat option related commits
This reverts the following commits:
b14c971db6db0 ("tests: Test compat mode")
11c464ed015b5 ("Add --compat option to *tables-nft and *-nft-restore commands")
ca709b5784c98 ("nft: Introduce and use bool nft_handle::compat")
402b9b3c07c81 ("nft: Pass nft_handle to add_{target,action}()")
This implementation of a compatibility mode implements rules using
xtables extensions if possible and thus relies upon existence of those
in kernel space. Assuming no viable replacement for the internal
mechanics of this mode will be found in foreseeable future, it will
effectively block attempts at deprecating and removing of these xtables
extensions in favor of nftables expressions and thus hinder upstream's
future plans for iptables.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.c')
| -rw-r--r-- | iptables/nft.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 09ff9cf1..97fd4f49 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1476,12 +1476,10 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, case NFT_COMPAT_RULE_APPEND: case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_REPLACE: - if (!strcmp(m->u.user.name, "among")) - return add_nft_among(h, r, m); - else if (h->compat) - break; - else if (!strcmp(m->u.user.name, "limit")) + if (!strcmp(m->u.user.name, "limit")) return add_nft_limit(r, m); + else if (!strcmp(m->u.user.name, "among")) + return add_nft_among(h, r, m); else if (!strcmp(m->u.user.name, "udp")) return add_nft_udp(h, r, m); else if (!strcmp(m->u.user.name, "tcp")) @@ -1540,13 +1538,12 @@ static int add_meta_nftrace(struct nftnl_rule *r) return 0; } -int add_target(struct nft_handle *h, struct nftnl_rule *r, - struct xt_entry_target *t) +int add_target(struct nftnl_rule *r, struct xt_entry_target *t) { struct nftnl_expr *expr; int ret; - if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0) + if (strcmp(t->u.user.name, "TRACE") == 0) return add_meta_nftrace(r); expr = nftnl_expr_alloc("target"); @@ -1590,8 +1587,8 @@ int add_verdict(struct nftnl_rule *r, int verdict) return 0; } -int add_action(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs, bool goto_set) +int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, + bool goto_set) { int ret = 0; @@ -1607,7 +1604,7 @@ int add_action(struct nft_handle *h, struct nftnl_rule *r, else if (strcmp(cs->jumpto, "NFLOG") == 0) ret = add_log(r, cs); else - ret = add_target(h, r, cs->target->t); + ret = add_target(r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* Not standard, then it's a go / jump to chain */ if (goto_set) |