xtables: nft: add protocol and flags for xtables over nf_tables

Add protocol and flags for the compatibility layer.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5385bf32f4de0a4c8eb5a3bc3d2e7e557ab844bf..5f40dc05de4e2438be4d20255b399b64aabe4e51 100644 (file)
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -97,10 +97,24 @@ enum nft_rule_attributes {
        NFTA_RULE_HANDLE,
        NFTA_RULE_EXPRESSIONS,
        NFTA_RULE_FLAGS,
+       NFTA_RULE_COMPAT,
        __NFTA_RULE_MAX
 };
 #define NFTA_RULE_MAX          (__NFTA_RULE_MAX - 1)
 
+enum nft_rule_compat_flags {
+       NFT_RULE_COMPAT_F_INV   = (1 << 1),
+       NFT_RULE_COMPAT_F_MASK  = NFT_RULE_COMPAT_F_INV,
+};
+
+enum nft_rule_compat_attributes {
+       NFTA_RULE_COMPAT_UNSPEC,
+       NFTA_RULE_COMPAT_PROTO,
+       NFTA_RULE_COMPAT_FLAGS,
+       __NFTA_RULE_COMPAT_MAX
+};
+#define NFTA_RULE_COMPAT_MAX   (__NFTA_RULE_COMPAT_MAX - 1)
+
 /**
  * enum nft_set_flags - nf_tables set flags
  *

diff --git a/iptables/nft.c b/iptables/nft.c
index f42e43774e29d46e440b881d1f2c45fceeda9d44..c3d5d6108ae8843e0592c9d25b8f080fde14adb8 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -800,6 +800,13 @@ static void add_addr(struct nft_rule *r, int offset,
        add_cmp_ptr(r, op, data, len);
 }
 
+static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+{
+       nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
+       nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,
+                             inv ? NFT_RULE_COMPAT_F_INV : 0);
+}
+
 static void add_proto(struct nft_rule *r, int offset, size_t len,
                      uint32_t proto, int invflags)
 {
@@ -813,6 +820,7 @@ static void add_proto(struct nft_rule *r, int offset, size_t len,
                op = NFT_CMP_EQ;
 
        add_cmp_u32(r, proto, op);
+       add_compat(r, proto, invflags & XT_INV_PROTO);
 }
 
 int