From c6836c19592dbe1a8be9b0ad76c0ae09abcb82e7 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 18 Sep 2013 14:57:38 +0200 Subject: nft: consolidate nft_rule_new to support ARP This patch removes nft_arp_rule_new, which almost a copy and paste of the original nft_rule_new. This patch generalizes the infrastructure to support ARP. Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv6.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index dbb148ab..e3784a8b 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -20,11 +20,13 @@ #include +#include "nft.h" #include "nft-shared.h" static int nft_ipv6_add(struct nft_rule *r, void *data) { struct iptables_command_state *cs = data; + struct xtables_rule_match *matchp; if (cs->fw6.ipv6.iniface[0] != '\0') add_iniface(r, cs->fw6.ipv6.iniface, cs->fw6.ipv6.invflags); @@ -46,7 +48,18 @@ static int nft_ipv6_add(struct nft_rule *r, void *data) add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); - return cs->fw6.ipv6.flags; + for (matchp = cs->matches; matchp; matchp = matchp->next) { + if (add_match(r, matchp->match->m) < 0) + break; + } + + /* Counters need to me added before the target, otherwise they are + * increased for each rule because of the way nf_tables works. + */ + if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0) + return -1; + + return add_action(r, cs, cs->fw6.ipv6.flags); } static bool nft_ipv6_is_same(const void *data_a, -- cgit v1.2.3