From 2a87a024e1f77407e332086a4fa664e048280195 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 25 Jan 2013 16:04:36 +0100 Subject: xtables: nft: add protocol and flags for xtables over nf_tables Add protocol and flags for the compatibility layer. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nf_tables.h | 14 ++++++++++++++ iptables/nft.c | 8 ++++++++ 2 files changed, 22 insertions(+) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 5385bf32..5f40dc05 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -97,10 +97,24 @@ enum nft_rule_attributes { NFTA_RULE_HANDLE, NFTA_RULE_EXPRESSIONS, NFTA_RULE_FLAGS, + NFTA_RULE_COMPAT, __NFTA_RULE_MAX }; #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) +enum nft_rule_compat_flags { + NFT_RULE_COMPAT_F_INV = (1 << 1), + NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV, +}; + +enum nft_rule_compat_attributes { + NFTA_RULE_COMPAT_UNSPEC, + NFTA_RULE_COMPAT_PROTO, + NFTA_RULE_COMPAT_FLAGS, + __NFTA_RULE_COMPAT_MAX +}; +#define NFTA_RULE_COMPAT_MAX (__NFTA_RULE_COMPAT_MAX - 1) + /** * enum nft_set_flags - nf_tables set flags * diff --git a/iptables/nft.c b/iptables/nft.c index f42e4377..c3d5d610 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -800,6 +800,13 @@ static void add_addr(struct nft_rule *r, int offset, add_cmp_ptr(r, op, data, len); } +static void add_compat(struct nft_rule *r, uint32_t proto, bool inv) +{ + nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto); + nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS, + inv ? NFT_RULE_COMPAT_F_INV : 0); +} + static void add_proto(struct nft_rule *r, int offset, size_t len, uint32_t proto, int invflags) { @@ -813,6 +820,7 @@ static void add_proto(struct nft_rule *r, int offset, size_t len, op = NFT_CMP_EQ; add_cmp_u32(r, proto, op); + add_compat(r, proto, invflags & XT_INV_PROTO); } int -- cgit v1.2.3