ebtables-compat: fix printing of extension

This patch fix printing of ebt extensions:

% sudo ebtables-compat -L
[...]
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
--802_3-type 0x0012 -j ACCEPT
[...]

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 807c4da0fd67fb1c8f0258a0a874da2ac76b22e7..90bcd63df51dc0ad81346b323723b52d00ac7297 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -370,6 +370,7 @@ static void nft_bridge_print_header(unsigned int format, const char *chain,
 static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
                                      unsigned int format)
 {
+       struct xtables_rule_match *matchp;
        struct ebtables_command_state cs = {};
        char *addr;
 
@@ -443,23 +444,13 @@ static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
                print_iface(cs.fw.out);
        }
 
-       /* old code to adapt
-       m_l = hlp->m_list;
-       while (m_l) {
-               m = ebt_find_match(m_l->m->u.name);
-               if (!m)
-                       ebt_print_bug("Match not found");
-               m->print(hlp, m_l->m);
-               m_l = m_l->next;
+       for (matchp = cs.matches; matchp; matchp = matchp->next) {
+               if (matchp->match->print != NULL) {
+                       matchp->match->print(&cs.fw, matchp->match->m,
+                                            format & FMT_NUMERIC);
+               }
        }
-       w_l = hlp->w_list;
-       while (w_l) {
-               w = ebt_find_watcher(w_l->w->u.name);
-               if (!w)
-                       ebt_print_bug("Watcher not found");
-               w->print(hlp, w_l->w);
-               w_l = w_l->next;
-       }*/
+
        printf("-j ");
        if (!(format & FMT_NOTARGET))
                printf("%s", cs.jumpto);

diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index fd8bc9f14b38b954a58dbfca789d28099e405196..8357543288ad2a74947854f3af6949a006ea5f33 100644 (file)
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -4,6 +4,7 @@
 #include <netinet/in.h>
 //#include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter/x_tables.h>
+#include <net/ethernet.h>
 
 /* We use replace->flags, so we can't use the following values:
  * 0x01 == OPT_COMMAND, 0x02 == OPT_TABLE, 0x100 == OPT_ZERO */

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 71c4476354f3012e2bcac6e307400222bba91385..dd1dfca21ad15572eb7af5a3874a844a0de6765b 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -26,6 +26,7 @@
 #include <libnftnl/expr.h>
 
 #include "nft-shared.h"
+#include "nft-bridge.h"
 #include "xshared.h"
 #include "nft.h"
 
@@ -326,9 +327,24 @@ void nft_parse_match(struct nft_xt_ctx *ctx, struct nft_rule_expr *e)
        const char *mt_name = nft_rule_expr_get_str(e, NFT_EXPR_MT_NAME);
        const void *mt_info = nft_rule_expr_get(e, NFT_EXPR_MT_INFO, &mt_len);
        struct xtables_match *match;
+       struct xtables_rule_match **matches;
        struct xt_entry_match *m;
 
-       match = xtables_find_match(mt_name, XTF_TRY_LOAD, &ctx->state.cs->matches);
+       switch (ctx->family) {
+       case NFPROTO_IPV4:
+       case NFPROTO_IPV6:
+               matches = &ctx->state.cs->matches;
+               break;
+       case NFPROTO_BRIDGE:
+               matches = &ctx->state.cs_eb->matches;
+               break;
+       default:
+               fprintf(stderr, "BUG: nft_parse_match() unknown family %d\n",
+                       ctx->family);
+               exit(EXIT_FAILURE);
+       }
+
+       match = xtables_find_match(mt_name, XTF_TRY_LOAD, matches);
        if (match == NULL)
                return;