diff options
-rwxr-xr-x | iptables-test.py | 19 | ||||
-rw-r--r-- | iptables/arptables-nft-restore.8 | 15 | ||||
-rw-r--r-- | iptables/arptables-nft.8 | 8 | ||||
-rw-r--r-- | iptables/ebtables-nft.8 | 6 | ||||
-rw-r--r-- | iptables/iptables-restore.8.in | 11 | ||||
-rw-r--r-- | iptables/iptables.8.in | 7 | ||||
-rw-r--r-- | iptables/nft-arp.c | 2 | ||||
-rw-r--r-- | iptables/nft-bridge.c | 9 | ||||
-rw-r--r-- | iptables/nft-ipv4.c | 2 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 2 | ||||
-rw-r--r-- | iptables/nft-shared.c | 2 | ||||
-rw-r--r-- | iptables/nft.c | 19 | ||||
-rw-r--r-- | iptables/nft.h | 7 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 | 63 | ||||
-rw-r--r-- | iptables/xshared.c | 7 | ||||
-rw-r--r-- | iptables/xshared.h | 1 | ||||
-rw-r--r-- | iptables/xtables-arp.c | 1 | ||||
-rw-r--r-- | iptables/xtables-eb.c | 7 | ||||
-rw-r--r-- | iptables/xtables-restore.c | 43 | ||||
-rw-r--r-- | iptables/xtables.c | 2 |
20 files changed, 35 insertions, 198 deletions
diff --git a/iptables-test.py b/iptables-test.py index 22b445df..6f63cdbe 100755 --- a/iptables-test.py +++ b/iptables-test.py @@ -28,8 +28,6 @@ EBTABLES_SAVE = "ebtables-save" #IPTABLES_SAVE = ['xtables-save','-4'] #IP6TABLES_SAVE = ['xtables-save','-6'] -COMPAT_ARG = "" - EXTENSIONS_PATH = "extensions" LOGFILE="/tmp/iptables-test.log" log_file = None @@ -85,7 +83,7 @@ def run_test(iptables, rule, rule_save, res, filename, lineno, netns): ''' ret = 0 - cmd = iptables + COMPAT_ARG + " -A " + rule + cmd = iptables + " -A " + rule ret = execute_cmd(cmd, filename, lineno, netns) # @@ -320,7 +318,7 @@ def run_test_file_fast(iptables, filename, netns): # load all rules via iptables_restore - command = EXECUTABLE + " " + iptables + "-restore" + COMPAT_ARG + command = EXECUTABLE + " " + iptables + "-restore" if netns: command = "ip netns exec " + netns + " " + command @@ -560,8 +558,6 @@ def main(): help='Check for missing tests') parser.add_argument('-n', '--nftables', action='store_true', help='Test iptables-over-nftables') - parser.add_argument('-c', '--nft-compat', action='store_true', - help='Test iptables-over-nftables in compat mode') parser.add_argument('-N', '--netns', action='store_const', const='____iptables-container-test', help='Test netnamespace path') @@ -581,10 +577,8 @@ def main(): variants.append("legacy") if args.nftables: variants.append("nft") - if args.nft_compat: - variants.append("nft_compat") if len(variants) == 0: - variants = [ "legacy", "nft", "nft_compat" ] + variants = [ "legacy", "nft" ] if os.getuid() != 0: print("You need to be root to run this, sorry", file=sys.stderr) @@ -604,12 +598,7 @@ def main(): total_tests = 0 for variant in variants: global EXECUTABLE - global COMPAT_ARG - if variant == "nft_compat": - EXECUTABLE = "xtables-nft-multi" - COMPAT_ARG = " --compat" - else: - EXECUTABLE = "xtables-" + variant + "-multi" + EXECUTABLE = "xtables-" + variant + "-multi" test_files = 0 tests = 0 diff --git a/iptables/arptables-nft-restore.8 b/iptables/arptables-nft-restore.8 index 12ac9ebd..09d9082c 100644 --- a/iptables/arptables-nft-restore.8 +++ b/iptables/arptables-nft-restore.8 @@ -22,23 +22,18 @@ .SH NAME arptables-restore \- Restore ARP Tables (nft-based) .SH SYNOPSIS -.BR arptables\-restore " [" --compat ] +\fBarptables\-restore .SH DESCRIPTION +.PP .B arptables-restore is used to restore ARP Tables from data specified on STDIN or via a file as first argument. -Use I/O redirection provided by your shell to read from a file. -.P +Use I/O redirection provided by your shell to read from a file +.TP .B arptables-restore flushes (deletes) all previous contents of the respective ARP Table. -.TP -.BR -C , " --compat" -Create rules in a mostly compatible way, enabling older versions of -\fBarptables\-nft\fP to correctly parse the rules received from kernel. This -mode is only useful in very specific situations and will likely impact packet -filtering performance. - .SH AUTHOR Jesper Dangaard Brouer <brouer@redhat.com> .SH SEE ALSO \fBarptables\-save\fP(8), \fBarptables\fP(8) +.PP diff --git a/iptables/arptables-nft.8 b/iptables/arptables-nft.8 index 673a7bd5..ea31e084 100644 --- a/iptables/arptables-nft.8 +++ b/iptables/arptables-nft.8 @@ -220,14 +220,6 @@ counters of a rule (during .B APPEND, .B REPLACE operations). -.SS "OTHER OPTIONS" -The following additional options can be specified: -.TP -\fB\-\-compat\fP -Create rules in a mostly compatible way, enabling older versions of -\fBarptables\-nft\fP to correctly parse the rules received from kernel. This -mode is only useful in very specific situations and will likely impact packet -filtering performance. .SS RULE-SPECIFICATIONS The following command line arguments make up a rule specification (as used diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8 index baada6c6..0304b508 100644 --- a/iptables/ebtables-nft.8 +++ b/iptables/ebtables-nft.8 @@ -359,12 +359,6 @@ to try to automatically load missing kernel modules. .TP .B --concurrent Use a file lock to support concurrent scripts updating the ebtables kernel tables. -.TP -.B --compat -Create rules in a mostly compatible way, enabling older versions of -\fBebtables\-nft\fP to correctly parse the rules received from kernel. This -mode is only useful in very specific situations and will likely impact packet -filtering performance. .SS RULE SPECIFICATIONS diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in index 38309992..aa816f79 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -23,11 +23,11 @@ iptables-restore \(em Restore IP Tables .P ip6tables-restore \(em Restore IPv6 Tables .SH SYNOPSIS -\fBiptables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP] +\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fIfile\fP] .P -\fBip6tables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP] +\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fIfile\fP] .SH DESCRIPTION @@ -74,13 +74,6 @@ determine the executable's path. .TP \fB\-T\fP, \fB\-\-table\fP \fIname\fP Restore only the named table even if the input stream contains other ones. -.TP -\fB\-C\fP, \fB\-\-compat\fP -This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If -set, rules will be created in a mostly compatible way, enabling older versions -of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This -mode is only useful in very specific situations and will likely impact packet -filtering performance. .SH BUGS None known as of iptables-1.2.1 release .SH AUTHORS diff --git a/iptables/iptables.8.in b/iptables/iptables.8.in index c0e92f27..ecaa5553 100644 --- a/iptables/iptables.8.in +++ b/iptables/iptables.8.in @@ -397,13 +397,6 @@ corresponding to that rule's position in the chain. \fB\-\-modprobe=\fP\fIcommand\fP When adding or inserting rules into a chain, use \fIcommand\fP to load any necessary modules (targets, match extensions, etc). -.TP -\fB\-\-compat\fP -This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If -set, rules will be created in a mostly compatible way, enabling older versions -of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This -mode is only useful in very specific situations and will likely impact packet -filtering performance. .SH LOCK FILE iptables uses the \fI@XT_LOCK_NAME@\fP file to take an exclusive lock at diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c index 14b352ce..9868966a 100644 --- a/iptables/nft-arp.c +++ b/iptables/nft-arp.c @@ -151,7 +151,7 @@ static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx, else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0) ret = add_verdict(r, NFT_RETURN); else - ret = add_target(h, r, cs->target->t); + ret = add_target(r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* No goto in arptables */ ret = add_jumpto(r, cs->jumpto, NFT_JUMP); diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 616ae5a3..391a8ab7 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -117,8 +117,7 @@ static int add_meta_broute(struct nftnl_rule *r) return 0; } -static int _add_action(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs) +static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs) { const char *table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE); @@ -134,7 +133,7 @@ static int _add_action(struct nft_handle *h, struct nftnl_rule *r, } } - return add_action(h, r, cs, false); + return add_action(r, cs, false); } static int @@ -222,7 +221,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m)) break; } else { - if (add_target(h, r, iter->u.watcher->t)) + if (add_target(r, iter->u.watcher->t)) break; } } @@ -230,7 +229,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return _add_action(h, r, cs); + return _add_action(r, cs); } static bool nft_rule_to_ebtables_command_state(struct nft_handle *h, diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 663052fc..2f10220e 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -95,7 +95,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(h, r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); + return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO)); } static bool nft_ipv4_is_same(const struct iptables_command_state *a, diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 8bc633df..d53f87c1 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -81,7 +81,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx, if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) return -1; - return add_action(h, r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); + return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO)); } static bool nft_ipv6_is_same(const struct iptables_command_state *a, diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 5e0ca00e..34ca9d16 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r, for (i = 0; i < len; i++) { if (m[i] != 0xff) { - bitwise = h->compat || m[i] != 0; + bitwise = m[i] != 0; break; } } diff --git a/iptables/nft.c b/iptables/nft.c index 09ff9cf1..97fd4f49 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1476,12 +1476,10 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, case NFT_COMPAT_RULE_APPEND: case NFT_COMPAT_RULE_INSERT: case NFT_COMPAT_RULE_REPLACE: - if (!strcmp(m->u.user.name, "among")) - return add_nft_among(h, r, m); - else if (h->compat) - break; - else if (!strcmp(m->u.user.name, "limit")) + if (!strcmp(m->u.user.name, "limit")) return add_nft_limit(r, m); + else if (!strcmp(m->u.user.name, "among")) + return add_nft_among(h, r, m); else if (!strcmp(m->u.user.name, "udp")) return add_nft_udp(h, r, m); else if (!strcmp(m->u.user.name, "tcp")) @@ -1540,13 +1538,12 @@ static int add_meta_nftrace(struct nftnl_rule *r) return 0; } -int add_target(struct nft_handle *h, struct nftnl_rule *r, - struct xt_entry_target *t) +int add_target(struct nftnl_rule *r, struct xt_entry_target *t) { struct nftnl_expr *expr; int ret; - if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0) + if (strcmp(t->u.user.name, "TRACE") == 0) return add_meta_nftrace(r); expr = nftnl_expr_alloc("target"); @@ -1590,8 +1587,8 @@ int add_verdict(struct nftnl_rule *r, int verdict) return 0; } -int add_action(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs, bool goto_set) +int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, + bool goto_set) { int ret = 0; @@ -1607,7 +1604,7 @@ int add_action(struct nft_handle *h, struct nftnl_rule *r, else if (strcmp(cs->jumpto, "NFLOG") == 0) ret = add_log(r, cs); else - ret = add_target(h, r, cs->target->t); + ret = add_target(r, cs->target->t); } else if (strlen(cs->jumpto) > 0) { /* Not standard, then it's a go / jump to chain */ if (goto_set) diff --git a/iptables/nft.h b/iptables/nft.h index fb9fc81e..5acbbf82 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -111,7 +111,6 @@ struct nft_handle { struct list_head cmd_list; bool cache_init; int verbose; - bool compat; /* meta data, for error reporting */ struct { @@ -193,11 +192,9 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes); int add_verdict(struct nftnl_rule *r, int verdict); int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx, struct nftnl_rule *r, struct xt_entry_match *m); -int add_target(struct nft_handle *h, struct nftnl_rule *r, - struct xt_entry_target *t); +int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); -int add_action(struct nft_handle *h, struct nftnl_rule *r, - struct iptables_command_state *cs, bool goto_set); +int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); int add_log(struct nftnl_rule *r, struct iptables_command_state *cs); char *get_comment(const void *data, uint32_t data_len); diff --git a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 b/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 deleted file mode 100755 index c8cee8ae..00000000 --- a/iptables/tests/shell/testcases/nft-only/0011-compat-mode_0 +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash - -[[ $XT_MULTI == *xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; } - -set -e - -# reduce noise in debug output -$XT_MULTI iptables -t raw -A OUTPUT -$XT_MULTI iptables -t raw -F - -# add all the things which were "optimized" here -RULE='-t raw -A OUTPUT' - -# prefix matches on class (actually: byte) boundaries no longer need a bitwise -RULE+=' -s 10.0.0.0/8 -d 192.168.0.0/16' - -# these were turned into native matches meanwhile -# (plus -m tcp, but it conflicts with -m udp) -RULE+=' -m limit --limit 1/min' -RULE+=' -p udp -m udp --sport 1024:65535' -RULE+=' -m mark --mark 0xfeedcafe/0xfeedcafe' -RULE+=' -j TRACE' - -EXPECT_COMMON='TRACE udp opt -- in * out * 10.0.0.0/8 -> 192.168.0.0/16 limit: avg 1/min burst 5 udp spts:1024:65535 mark match 0xfeedcafe/0xfeedcafe -ip raw OUTPUT' - -EXPECT="$EXPECT_COMMON - [ payload load 1b @ network header + 12 => reg 1 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 2b @ network header + 16 => reg 1 ] - [ cmp eq reg 1 0x0000a8c0 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ limit rate 1/minute burst 5 type packets flags 0x0 ] - [ payload load 2b @ transport header + 0 => reg 1 ] - [ range eq reg 1 0x00000004 0x0000ffff ] - [ meta load mark => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0xfeedcafe ) ^ 0x00000000 ] - [ cmp eq reg 1 0xfeedcafe ] - [ counter pkts 0 bytes 0 ] - [ immediate reg 9 0x00000001 ] - [ meta set nftrace with reg 9 ] -" - -diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables -vv $RULE) - -EXPECT="$EXPECT_COMMON - [ payload load 4b @ network header + 12 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x000000ff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000000a ] - [ payload load 4b @ network header + 16 => reg 1 ] - [ bitwise reg 1 = ( reg 1 & 0x0000ffff ) ^ 0x00000000 ] - [ cmp eq reg 1 0x0000a8c0 ] - [ payload load 1b @ network header + 9 => reg 1 ] - [ cmp eq reg 1 0x00000011 ] - [ match name limit rev 0 ] - [ match name udp rev 0 ] - [ match name mark rev 1 ] - [ counter pkts 0 bytes 0 ] - [ target name TRACE rev 0 ] -" - -diff -u -Z <(echo -e "$EXPECT") <($XT_MULTI iptables --compat -vv $RULE) diff --git a/iptables/xshared.c b/iptables/xshared.c index 74b7a041..5f75a0a5 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -1263,8 +1263,7 @@ xtables_printhelp(const struct xtables_rule_match *matches) printf( " --modprobe=<command> try to insert modules using this command\n" " --set-counters -c PKTS BYTES set the counter during insert/append\n" -"[!] --version -V print package version\n" -" --compat create rules compatible for parsing with old binaries\n"); +"[!] --version -V print package version.\n"); if (afinfo->family == NFPROTO_ARP) { int i; @@ -1788,10 +1787,6 @@ void do_parse(int argc, char *argv[], exit_tryhelp(2, p->line); - case 15: /* --compat */ - p->compat = true; - break; - case 1: /* non option */ if (optarg[0] == '!' && optarg[1] == '\0') { if (invert) diff --git a/iptables/xshared.h b/iptables/xshared.h index f69a7b43..a200e0d6 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -283,7 +283,6 @@ struct xt_cmd_parse { int line; int verbose; bool xlate; - bool compat; struct xt_cmd_parse_ops *ops; }; diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c index c6a9c6d6..71518a9c 100644 --- a/iptables/xtables-arp.c +++ b/iptables/xtables-arp.c @@ -78,7 +78,6 @@ static struct option original_opts[] = { { "line-numbers", 0, 0, '0' }, { "modprobe", 1, 0, 'M' }, { "set-counters", 1, 0, 'c' }, - { "compat", 0, 0, 15 }, { 0 } }; diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c index ffd51efa..08eec79d 100644 --- a/iptables/xtables-eb.c +++ b/iptables/xtables-eb.c @@ -223,7 +223,6 @@ struct option ebt_original_options[] = { "init-table" , no_argument , 0, 11 }, { "concurrent" , no_argument , 0, 13 }, { "check" , required_argument, 0, 14 }, - { "compat" , no_argument , 0, 15 }, { 0 } }; @@ -336,8 +335,7 @@ static void print_help(const struct xtables_target *t, "--modprobe -M program : try to insert modules using this program\n" "--concurrent : use a file lock to support concurrent scripts\n" "--verbose -v : verbose mode\n" -"--version -V : print package version\n" -"--compat : create rules compatible for parsing with old binaries\n\n" +"--version -V : print package version\n\n" "Environment variable:\n" /*ATOMIC_ENV_VARIABLE " : if set <FILE> (see above) will equal its value"*/ "\n\n"); @@ -1099,9 +1097,6 @@ print_zero: return 1; case 13 : break; - case 15: - h->compat = true; - break; case 1 : if (!strcmp(optarg, "!")) ebt_check_inverse2(optarg, argc, argv); diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c index bd8c6bc1..23cd3498 100644 --- a/iptables/xtables-restore.c +++ b/iptables/xtables-restore.c @@ -26,7 +26,6 @@ static int counters, verbose; /* Keeping track of external matches and targets. */ static const struct option options[] = { {.name = "counters", .has_arg = false, .val = 'c'}, - {.name = "compat", .has_arg = false, .val = 'C'}, {.name = "verbose", .has_arg = false, .val = 'v'}, {.name = "version", .has_arg = 0, .val = 'V'}, {.name = "test", .has_arg = false, .val = 't'}, @@ -46,9 +45,8 @@ static const struct option options[] = { static void print_usage(const char *name, const char *version) { - fprintf(stderr, "Usage: %s [-c] [-C] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n" + fprintf(stderr, "Usage: %s [-c] [-v] [-V] [-t] [-h] [-n] [-T table] [-M command] [-4] [-6] [file]\n" " [ --counters ]\n" - " [ --compat ]\n" " [ --verbose ]\n" " [ --version]\n" " [ --test ]\n" @@ -291,7 +289,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) .cb = &restore_cb, }; bool noflush = false; - bool compat = false; struct nft_handle h; int c; @@ -306,7 +303,7 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) exit(1); } - while ((c = getopt_long(argc, argv, "bcCvVthnM:T:wW", options, NULL)) != -1) { + while ((c = getopt_long(argc, argv, "bcvVthnM:T:wW", options, NULL)) != -1) { switch (c) { case 'b': fprintf(stderr, "-b/--binary option is not implemented\n"); @@ -314,9 +311,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) case 'c': counters = 1; break; - case 'C': - compat = true; - break; case 'v': verbose++; break; @@ -393,7 +387,6 @@ xtables_restore_main(int family, const char *progname, int argc, char *argv[]) } h.noflush = noflush; h.restore = true; - h.compat = compat; xtables_restore_parse(&h, &p); @@ -424,7 +417,6 @@ static const struct nft_xt_restore_cb ebt_restore_cb = { }; static const struct option ebt_restore_options[] = { - {.name = "compat", .has_arg = 0, .val = 'C'}, {.name = "noflush", .has_arg = 0, .val = 'n'}, {.name = "verbose", .has_arg = 0, .val = 'v'}, { 0 } @@ -437,16 +429,12 @@ int xtables_eb_restore_main(int argc, char *argv[]) .cb = &ebt_restore_cb, }; bool noflush = false; - bool compat = false; struct nft_handle h; int c; - while ((c = getopt_long(argc, argv, "Cnv", + while ((c = getopt_long(argc, argv, "nv", ebt_restore_options, NULL)) != -1) { switch(c) { - case 'C': - compat = true; - break; case 'n': noflush = 1; break; @@ -455,7 +443,7 @@ int xtables_eb_restore_main(int argc, char *argv[]) break; default: fprintf(stderr, - "Usage: ebtables-restore [ --compat ] [ --verbose ] [ --noflush ]\n"); + "Usage: ebtables-restore [ --verbose ] [ --noflush ]\n"); exit(1); break; } @@ -463,7 +451,6 @@ int xtables_eb_restore_main(int argc, char *argv[]) nft_init_eb(&h, "ebtables-restore"); h.noflush = noflush; - h.compat = compat; xtables_restore_parse(&h, &p); nft_fini_eb(&h); @@ -478,37 +465,15 @@ static const struct nft_xt_restore_cb arp_restore_cb = { .chain_restore = nft_cmd_chain_restore, }; -static const struct option arp_restore_options[] = { - {.name = "compat", .has_arg = 0, .val = 'C'}, - { 0 } -}; - int xtables_arp_restore_main(int argc, char *argv[]) { struct nft_xt_restore_parse p = { .in = stdin, .cb = &arp_restore_cb, }; - bool compat = false; struct nft_handle h; - int c; - - while ((c = getopt_long(argc, argv, "C", - arp_restore_options, NULL)) != -1) { - switch(c) { - case 'C': - compat = true; - break; - default: - fprintf(stderr, - "Usage: arptables-restore [ --compat ]\n"); - exit(1); - break; - } - } nft_init_arp(&h, "arptables-restore"); - h.compat = compat; xtables_restore_parse(&h, &p); nft_fini(&h); xtables_fini(); diff --git a/iptables/xtables.c b/iptables/xtables.c index 25b4dbc6..22d6ea58 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -82,7 +82,6 @@ static struct option original_opts[] = { {.name = "goto", .has_arg = 1, .val = 'g'}, {.name = "ipv4", .has_arg = 0, .val = '4'}, {.name = "ipv6", .has_arg = 0, .val = '6'}, - {.name = "compat", .has_arg = 0, .val = 15 }, {NULL}, }; @@ -162,7 +161,6 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table, do_parse(argc, argv, &p, &cs, &args); h->verbose = p.verbose; - h->compat = p.compat; if (!nft_table_builtin_find(h, p.table)) xtables_error(VERSION_PROBLEM, |