nft: Pass nft_handle to add_{target,action}()

Prepare for varying rule content based on a global flag.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 9868966a0368860bd4ae3327b36c617d6e1d8cbd..14b352cebf9d359a6f40cf253f7f0978e32b75d9 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -151,7 +151,7 @@ static int nft_arp_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
                else if (strcmp(cs->jumpto, XTC_LABEL_RETURN) == 0)
                        ret = add_verdict(r, NFT_RETURN);
                else
-                       ret = add_target(r, cs->target->t);
+                       ret = add_target(h, r, cs->target->t);
        } else if (strlen(cs->jumpto) > 0) {
                /* No goto in arptables */
                ret = add_jumpto(r, cs->jumpto, NFT_JUMP);

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 391a8ab723c1cb173fd3aeddc0cf0a825a9b804c..616ae5a3a2a3ce6f730e47e553d296174bda7860 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -117,7 +117,8 @@ static int add_meta_broute(struct nftnl_rule *r)
        return 0;
 }
 
-static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
+static int _add_action(struct nft_handle *h, struct nftnl_rule *r,
+                      struct iptables_command_state *cs)
 {
        const char *table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE);
 
@@ -133,7 +134,7 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
                }
        }
 
-       return add_action(r, cs, false);
+       return add_action(h, r, cs, false);
 }
 
 static int
@@ -221,7 +222,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
                        if (nft_bridge_add_match(h, fw, ctx, r, iter->u.match->m))
                                break;
                } else {
-                       if (add_target(r, iter->u.watcher->t))
+                       if (add_target(h, r, iter->u.watcher->t))
                                break;
                }
        }
@@ -229,7 +230,7 @@ static int nft_bridge_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
        if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
                return -1;
 
-       return _add_action(r, cs);
+       return _add_action(h, r, cs);
 }
 
 static bool nft_rule_to_ebtables_command_state(struct nft_handle *h,

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 2f10220edd509c61047e2903066b60b03172cdee..663052fc57f0af8c992cd9f446b7f1b3733322a7 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -95,7 +95,7 @@ static int nft_ipv4_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
        if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
                return -1;
 
-       return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
+       return add_action(h, r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
 }
 
 static bool nft_ipv4_is_same(const struct iptables_command_state *a,

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index d53f87c1d26e33fc2e1022d8cb70bc6ca872ca65..8bc633df0e93a4f22a2cf1b4f136fb164bfb394e 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -81,7 +81,7 @@ static int nft_ipv6_add(struct nft_handle *h, struct nft_rule_ctx *ctx,
        if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
                return -1;
 
-       return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
+       return add_action(h, r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
 }
 
 static bool nft_ipv6_is_same(const struct iptables_command_state *a,

diff --git a/iptables/nft.c b/iptables/nft.c
index 97fd4f49fdb4cf38cf74d24d9de0b44383e809ce..1fc12b0c659c7bb56f7d543cc1d8d5c88b5013a5 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1538,7 +1538,8 @@ static int add_meta_nftrace(struct nftnl_rule *r)
        return 0;
 }
 
-int add_target(struct nftnl_rule *r, struct xt_entry_target *t)
+int add_target(struct nft_handle *h, struct nftnl_rule *r,
+              struct xt_entry_target *t)
 {
        struct nftnl_expr *expr;
        int ret;
@@ -1587,8 +1588,8 @@ int add_verdict(struct nftnl_rule *r, int verdict)
        return 0;
 }
 
-int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
-              bool goto_set)
+int add_action(struct nft_handle *h, struct nftnl_rule *r,
+              struct iptables_command_state *cs, bool goto_set)
 {
        int ret = 0;
 
@@ -1604,7 +1605,7 @@ int add_action(struct nftnl_rule *r, struct iptables_command_state *cs,
                else if (strcmp(cs->jumpto, "NFLOG") == 0)
                        ret = add_log(r, cs);
                else
-                       ret = add_target(r, cs->target->t);
+                       ret = add_target(h, r, cs->target->t);
        } else if (strlen(cs->jumpto) > 0) {
                /* Not standard, then it's a go / jump to chain */
                if (goto_set)

diff --git a/iptables/nft.h b/iptables/nft.h
index 5acbbf82e2c29f1751b70dc9dd3e7bc852b2c703..a89aff0af68d01f1d2dbbc077cdbbf49f68813f8 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -192,9 +192,11 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
 int add_verdict(struct nftnl_rule *r, int verdict);
 int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
              struct nftnl_rule *r, struct xt_entry_match *m);
-int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
+int add_target(struct nft_handle *h, struct nftnl_rule *r,
+              struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
-int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
+int add_action(struct nft_handle *h, struct nftnl_rule *r,
+              struct iptables_command_state *cs, bool goto_set);
 int add_log(struct nftnl_rule *r, struct iptables_command_state *cs);
 char *get_comment(const void *data, uint32_t data_len);