diff options
author | Phil Sutter <phil@nwl.cc> | 2023-05-05 17:39:08 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
commit | ca709b5784c982de12d6eab361cfc9c900aec4c7 (patch) | |
tree | f9050ead4c83cffa9f933cb988ad1cba330d5163 /iptables/nft.c | |
parent | 402b9b3c07c8192be3bfc0191fbf56401e26a003 (diff) |
nft: Introduce and use bool nft_handle::compat
If set, create rules using compat expressions where possible and disable
the bitwise expression avoidance introduced in 323259001d617 ("nft:
Optimize class-based IP prefix matches").
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 1fc12b0c..09ff9cf1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1476,10 +1476,12 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, case NFT_COMPAT_RULE_APPEND: case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_REPLACE: - if (!strcmp(m->u.user.name, "limit")) - return add_nft_limit(r, m); - else if (!strcmp(m->u.user.name, "among")) + if (!strcmp(m->u.user.name, "among")) return add_nft_among(h, r, m); + else if (h->compat) + break; + else if (!strcmp(m->u.user.name, "limit")) + return add_nft_limit(r, m); else if (!strcmp(m->u.user.name, "udp")) return add_nft_udp(h, r, m); else if (!strcmp(m->u.user.name, "tcp")) @@ -1544,7 +1546,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r, struct nftnl_expr *expr; int ret; - if (strcmp(t->u.user.name, "TRACE") == 0) + if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0) return add_meta_nftrace(r); expr = nftnl_expr_alloc("target"); |