diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-04-24 22:19:14 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-05-02 13:16:28 +0200 |
commit | 94309632a13000e06ed02e08f0bcbed94080abb3 (patch) | |
tree | 7bbf339710962aae796655ba2535e4ef7e34e648 /iptables/nft.c | |
parent | aa92ec96078d09f9b3639109d7a24797ebb239ff (diff) |
nft: native mark matching support
Use meta mark + bitwise + cmp instead of nft_compat mark match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 6883662f..a629aeff 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -40,6 +40,7 @@ #include <linux/netfilter/xt_limit.h> #include <linux/netfilter/xt_NFLOG.h> +#include <linux/netfilter/xt_mark.h> #include <libmnl/libmnl.h> #include <libnftnl/gen.h> @@ -1406,6 +1407,26 @@ static int add_nft_tcp(struct nftnl_rule *r, struct xt_entry_match *m) tcp->dpts, tcp->invflags & XT_TCP_INV_DSTPT); } +static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_match *m) +{ + struct xt_mark_mtinfo1 *mark = (void *)m->data; + int op; + + add_meta(r, NFT_META_MARK); + if (mark->mask != 0xffffffff) + add_bitwise(r, (uint8_t *)&mark->mask, sizeof(uint32_t)); + + if (mark->invert) + op = NFT_CMP_NEQ; + else + op = NFT_CMP_EQ; + + add_cmp_u32(r, mark->mark, op); + + return 0; +} + int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m) { @@ -1420,6 +1441,8 @@ int add_match(struct nft_handle *h, return add_nft_udp(r, m); else if (!strcmp(m->u.user.name, "tcp")) return add_nft_tcp(r, m); + else if (!strcmp(m->u.user.name, "mark")) + return add_nft_mark(h, r, m); expr = nftnl_expr_alloc("match"); if (expr == NULL) |