From 42cfeee024d0ba0c6b15645f829273ee3dcfa5c6 Mon Sep 17 00:00:00 2001
From: Arturo Borrero <arturo.borrero.glez@gmail.com>
Date: Fri, 26 Dec 2014 13:49:52 +0100
Subject: ebtables-compat: fix printing of extension

This patch fix printing of ebt extensions:

% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft-bridge.c | 23 +++++++----------------
 iptables/nft-bridge.h |  1 +
 iptables/nft-shared.c | 18 +++++++++++++++++-
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 807c4da0..90bcd63d 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -370,6 +370,7 @@ static void nft_bridge_print_header(unsigned int format, const char *chain,
 static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
 				      unsigned int format)
 {
+	struct xtables_rule_match *matchp;
 	struct ebtables_command_state cs = {};
 	char *addr;
 
@@ -443,23 +444,13 @@ static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
 		print_iface(cs.fw.out);
 	}
 
-	/* old code to adapt
-	m_l = hlp->m_list;
-	while (m_l) {
-		m = ebt_find_match(m_l->m->u.name);
-		if (!m)
-			ebt_print_bug("Match not found");
-		m->print(hlp, m_l->m);
-		m_l = m_l->next;
+	for (matchp = cs.matches; matchp; matchp = matchp->next) {
+		if (matchp->match->print != NULL) {
+			matchp->match->print(&cs.fw, matchp->match->m,
+					     format & FMT_NUMERIC);
+		}
 	}
-	w_l = hlp->w_list;
-	while (w_l) {
-		w = ebt_find_watcher(w_l->w->u.name);
-		if (!w)
-			ebt_print_bug("Watcher not found");
-		w->print(hlp, w_l->w);
-		w_l = w_l->next;
-	}*/
+
 	printf("-j ");
 	if (!(format & FMT_NOTARGET))
 		printf("%s", cs.jumpto);
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index fd8bc9f1..83575432 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -4,6 +4,7 @@
 #include <netinet/in.h>
 //#include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter/x_tables.h>
+#include <net/ethernet.h>
 
 /* We use replace->flags, so we can't use the following values:
  * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 71c44763..dd1dfca2 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -26,6 +26,7 @@
 #include <libnftnl/expr.h>
 
 #include "nft-shared.h"
+#include "nft-bridge.h"
 #include "xshared.h"
 #include "nft.h"
 
@@ -326,9 +327,24 @@ void nft_parse_match(struct nft_xt_ctx *ctx, struct nft_rule_expr *e)
 	const char *mt_name = nft_rule_expr_get_str(e, NFT_EXPR_MT_NAME);
 	const void *mt_info = nft_rule_expr_get(e, NFT_EXPR_MT_INFO, &mt_len);
 	struct xtables_match *match;
+	struct xtables_rule_match **matches;
 	struct xt_entry_match *m;
 
-	match = xtables_find_match(mt_name, XTF_TRY_LOAD, &ctx->state.cs->matches);
+	switch (ctx->family) {
+	case NFPROTO_IPV4:
+	case NFPROTO_IPV6:
+		matches = &ctx->state.cs->matches;
+		break;
+	case NFPROTO_BRIDGE:
+		matches = &ctx->state.cs_eb->matches;
+		break;
+	default:
+		fprintf(stderr, "BUG: nft_parse_match() unknown family %d\n",
+			ctx->family);
+		exit(EXIT_FAILURE);
+	}
+
+	match = xtables_find_match(mt_name, XTF_TRY_LOAD, matches);
 	if (match == NULL)
 		return;
 
-- 
cgit v1.2.3