nft: restore among support

Update among support to work again with the new parser and cache logic.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 0d60c724afff07601ac0c116f879b773a91bcf6e..39a2f704000c75ecdfc5060195eeda57cd482338 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -421,11 +421,20 @@ static struct nftnl_set *set_from_lookup_expr(struct nft_xt_ctx *ctx,
                                              const struct nftnl_expr *e)
 {
        const char *set_name = nftnl_expr_get_str(e, NFTNL_EXPR_LOOKUP_SET);
+       uint32_t set_id = nftnl_expr_get_u32(e, NFTNL_EXPR_LOOKUP_SET_ID);
        struct nftnl_set_list *slist;
+       struct nftnl_set *set;
 
        slist = nft_set_list_get(ctx->h, ctx->table, set_name);
-       if (slist)
-               return nftnl_set_list_lookup_byname(slist, set_name);
+       if (slist) {
+               set = nftnl_set_list_lookup_byname(slist, set_name);
+               if (set)
+                       return set;
+
+               set = nft_set_batch_lookup_byid(ctx->h, set_id);
+               if (set)
+                       return set;
+       }
 
        return NULL;
 }

diff --git a/iptables/nft.c b/iptables/nft.c
index f069396a0519095b7e568c58883149c77ef762e4..9771bcc9add021301b262a1bdb092c0e1e782e89 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1613,6 +1613,20 @@ int nft_rule_save(struct nft_handle *h, const char *table, unsigned int format)
        return ret == 0 ? 1 : 0;
 }
 
+struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
+                                           uint32_t set_id)
+{
+       struct obj_update *n;
+
+       list_for_each_entry(n, &h->obj_list, head) {
+               if (n->type == NFT_COMPAT_SET_ADD &&
+                   nftnl_set_get_u32(n->set, NFTNL_SET_ID) == set_id)
+                       return n->set;
+       }
+
+       return NULL;
+}
+
 static void
 __nft_rule_flush(struct nft_handle *h, const char *table,
                 const char *chain, bool verbose, bool implicit)
@@ -3092,6 +3106,7 @@ static int nft_prepare(struct nft_handle *h)
                        ret = 1;
                        break;
                case NFT_COMPAT_SET_ADD:
+                       nft_xt_builtin_init(h, cmd->table);
                        batch_set_add(h, NFT_COMPAT_SET_ADD, cmd->obj.set);
                        ret = 1;
                        break;

diff --git a/iptables/nft.h b/iptables/nft.h
index d61a40979d5bcefcd63af4299be3e4dd64430aae..89c3620e7b7d7120c861fb890afbf943b3195426 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -144,6 +144,12 @@ void nft_bridge_chain_postprocess(struct nft_handle *h,
                                  struct nftnl_chain *c);
 
 
+/*
+ * Operations with sets.
+ */
+struct nftnl_set *nft_set_batch_lookup_byid(struct nft_handle *h,
+                                           uint32_t set_id);
+
 /*
  * Operations with rule-set.
  */