xtables: introduce rule_to_cs/clear_cs callbacks

This introduces callbacks in nft_family_ops for parsing an nftnl rule
into iptables_command_state and clearing it afterwards.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 06d8664790f4ea6fa408fb6336b6d368d85c3e7f..164c3971f1f4fbc02305597897c078a646b183e5 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -667,6 +667,8 @@ struct nft_family_ops nft_family_ops_arp = {
        .save_firewall          = NULL,
        .save_counters          = NULL,
        .post_parse             = NULL,
+       .rule_to_cs             = nft_rule_to_arptables_command_state,
+       .clear_cs               = NULL,
        .rule_find              = nft_arp_rule_find,
        .parse_target           = nft_arp_parse_target,
 };

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 4b3c163b2d4a464dda8f12c29edffa3c00aa52d3..3834d6dd805bd1dc68b2aad811a2e1823653eaf5 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -347,7 +347,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
        cs->target = t;
 }
 
-static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
+static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,
                                               struct iptables_command_state *cs)
 {
        cs->eb.bitmask = EBT_NOPROTO;
@@ -733,6 +733,8 @@ struct nft_family_ops nft_family_ops_bridge = {
        .save_firewall          = NULL,
        .save_counters          = NULL,
        .post_parse             = NULL,
+       .rule_to_cs             = nft_rule_to_ebtables_command_state,
+       .clear_cs               = ebt_cs_clean,
        .rule_find              = nft_bridge_rule_find,
        .xlate                  = nft_bridge_xlate,
 };

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index bddd784c086d691aaee1340ad16b5be13bd95922..36258c9796c8476728e7f0d45080738eeb7d4a03 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -519,6 +519,8 @@ struct nft_family_ops nft_family_ops_ipv4 = {
        .proto_parse            = nft_ipv4_proto_parse,
        .post_parse             = nft_ipv4_post_parse,
        .parse_target           = nft_ipv4_parse_target,
+       .rule_to_cs             = nft_rule_to_iptables_command_state,
+       .clear_cs               = nft_clear_iptables_command_state,
        .rule_find              = nft_ipv4_rule_find,
        .xlate                  = nft_ipv4_xlate,
 };

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 79c02e44122518325598bcc4eed3f8fff4d2b630..419260199ba0904431f76b1f52a1cb657252a2f7 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -474,6 +474,8 @@ struct nft_family_ops nft_family_ops_ipv6 = {
        .proto_parse            = nft_ipv6_proto_parse,
        .post_parse             = nft_ipv6_post_parse,
        .parse_target           = nft_ipv6_parse_target,
+       .rule_to_cs             = nft_rule_to_iptables_command_state,
+       .clear_cs               = nft_clear_iptables_command_state,
        .rule_find              = nft_ipv6_rule_find,
        .xlate                  = nft_ipv6_xlate,
 };

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 12c22a40806013fa18d97666bdd2fa843f1da8a4..87d48bf620bb5b300e511e8408d065743bbb216c 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -626,6 +626,11 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
                cs->jumpto = "";
 }
 
+void nft_clear_iptables_command_state(struct iptables_command_state *cs)
+{
+       xtables_rule_matches_free(&cs->matches);
+}
+
 void print_header(unsigned int format, const char *chain, const char *pol,
                  const struct xt_counters *counters, bool basechain,
                  uint32_t refs)

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 2ad1ae6bd16517c3104941817d2962695d82e5b6..8172c8731151a60c5ff48f9bb17c625f4a47290b 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -101,6 +101,9 @@ struct nft_family_ops {
                           struct xtables_args *args);
        void (*parse_match)(struct xtables_match *m, void *data);
        void (*parse_target)(struct xtables_target *t, void *data);
+       void (*rule_to_cs)(const struct nftnl_rule *r,
+                          struct iptables_command_state *cs);
+       void (*clear_cs)(struct iptables_command_state *cs);
        bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
                          void *data);
        int (*xlate)(const void *data, struct xt_xlate *xl);
@@ -144,6 +147,7 @@ void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters);
 void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
 void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
                                        struct iptables_command_state *cs);
+void nft_clear_iptables_command_state(struct iptables_command_state *cs);
 void print_header(unsigned int format, const char *chain, const char *pol,
                  const struct xt_counters *counters, bool basechain,
                  uint32_t refs);