diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-05-05 16:01:29 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
| commit | 402b9b3c07c8192be3bfc0191fbf56401e26a003 (patch) | |
| tree | e9ad98d8b47a739f314931e82436b05248ed192d /iptables | |
| parent | 2d6221641d66b502b1a49d3267bd8126b0448a1d (diff) | |
nft: Pass nft_handle to add_{target,action}()
Prepare for varying rule content based on a global flag.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/nft-arp.c | 2 | ||||
| -rw-r--r-- | iptables/nft-bridge.c | 9 | ||||
| -rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
| -rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
| -rw-r--r-- | iptables/nft.c | 9 | ||||
| -rw-r--r-- | iptables/nft.h | 6 |
6 files changed, 17 insertions, 13 deletions
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 9868966a..14b352ce 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -151,7 +151,7 @@ static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx, else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) ret = add_verdict(r, NFT_RETURN); else - ret = add_target(r, cs->target->t); + ret = add_target(h, r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* No goto in arptables */ ret = add_jumpto(r, cs->jumpto, NFT_JUMP); diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 391a8ab7..616ae5a3 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -117,7 +117,8 @@ static int add_meta_broute(struct nftnl_rule *r) return 0; } -static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) +static int _add_action(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs) { const char *table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE); @@ -133,7 +134,7 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) } } - return add_action(r, cs, false); + return add_action(h, r, cs, false); } static int @@ -221,7 +222,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m)) break; } else { - if (add_target(r, iter->u.watcher->t)) + if (add_target(h, r, iter->u.watcher->t)) break; } } @@ -229,7 +230,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return _add_action(r, cs); + return _add_action(h, r, cs); } static bool nft_rule_to_ebtables_command_state(struct nft_handle *h, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 2f10220e..663052fc 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -95,7 +95,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); + return add_action(h, r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); } static bool nft_ipv4_is_same(const struct iptables_command_state *a, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index d53f87c1..8bc633df 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -81,7 +81,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); + return add_action(h, r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); } static bool nft_ipv6_is_same(const struct iptables_command_state *a, diff --git a/iptables/nft.c b/iptables/nft.c index 97fd4f49..1fc12b0c 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1538,7 +1538,8 @@ static int add_meta_nftrace(struct nftnl_rule *r) return 0; } -int add_target(struct nftnl_rule *r, struct xt_entry_target *t) +int add_target(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_target *t) { struct nftnl_expr *expr; int ret; @@ -1587,8 +1588,8 @@ int add_verdict(struct nftnl_rule *r, int verdict) return 0; } -int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, - bool goto_set) +int add_action(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs, bool goto_set) { int ret = 0; @@ -1604,7 +1605,7 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, else if (strcmp(cs->jumpto, "NFLOG") == 0) ret = add_log(r, cs); else - ret = add_target(r, cs->target->t); + ret = add_target(h, r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* Not standard, then it's a go / jump to chain */ if (goto_set) diff --git a/iptables/nft.h b/iptables/nft.h index 5acbbf82..a89aff0a 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -192,9 +192,11 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); int add_verdict(struct nftnl_rule *r, int verdict); int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, struct nftnl_rule *r, struct xt_entry_match *m); -int add_target(struct nftnl_rule *r, struct xt_entry_target *t); +int add_target(struct nft_handle *h, struct nftnl_rule *r, + struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); -int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); +int add_action(struct nft_handle *h, struct nftnl_rule *r, + struct iptables_command_state *cs, bool goto_set); int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); char *get_comment(const void *data, uint32_t data_len); |