From 793caef9076cceb24336b6cbb8f55107de49f269 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Thu, 8 Sep 2022 17:12:41 +0200
Subject: nft: prefer native 'meta pkttype' instead of xt match

Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'iptables')

diff --git a/iptables/nft.c b/iptables/nft.c
index fd552506..a7f712b1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -41,6 +41,7 @@
 #include <linux/netfilter/xt_limit.h>
 #include <linux/netfilter/xt_NFLOG.h>
 #include <linux/netfilter/xt_mark.h>
+#include <linux/netfilter/xt_pkttype.h>
 
 #include <libmnl/libmnl.h>
 #include <libnftnl/gen.h>
@@ -1445,6 +1446,25 @@ static int add_nft_mark(struct nft_handle *h, struct nftnl_rule *r,
 	return 0;
 }
 
+static int add_nft_pkttype(struct nft_handle *h, struct nftnl_rule *r,
+			   struct xt_entry_match *m)
+{
+	struct xt_pkttype_info *pkti = (void *)m->data;
+	uint8_t reg;
+	int op;
+
+	add_meta(h, r, NFT_META_PKTTYPE, &reg);
+
+	if (pkti->invert)
+		op = NFT_CMP_NEQ;
+	else
+		op = NFT_CMP_EQ;
+
+	add_cmp_u8(r, pkti->pkttype, op, reg);
+
+	return 0;
+}
+
 int add_match(struct nft_handle *h,
 	      struct nftnl_rule *r, struct xt_entry_match *m)
 {
@@ -1461,6 +1481,8 @@ int add_match(struct nft_handle *h,
 		return add_nft_tcp(h, r, m);
 	else if (!strcmp(m->u.user.name, "mark"))
 		return add_nft_mark(h, r, m);
+	else if (!strcmp(m->u.user.name, "pkttype"))
+		return add_nft_pkttype(h, r, m);
 
 	expr = nftnl_expr_alloc("match");
 	if (expr == NULL)
-- 
cgit v1.2.3