xtables: Do not pass nft_handle to do_parse()

Make it fit for sharing with legacy iptables, drop nft-specific
parameter. This requires to mirror proto_parse and post_parse callbacks
from family_ops somewhere reachable - use xt_cmd_parse, it holds other
"parser setup data" as well.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index b211a30937db3376437f42b748067ae67a4ce790..1472b11543239efbe4e7404d96be4408f34d57b6 100644 (file)
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -802,7 +802,9 @@ struct nft_family_ops nft_family_ops_arp = {
        .print_rule             = nft_arp_print_rule,
        .save_rule              = nft_arp_save_rule,
        .save_chain             = nft_arp_save_chain,
-       .post_parse             = nft_arp_post_parse,
+       .cmd_parse              = {
+               .post_parse     = nft_arp_post_parse,
+       },
        .rule_to_cs             = nft_rule_to_iptables_command_state,
        .init_cs                = nft_arp_init_cs,
        .clear_cs               = nft_clear_iptables_command_state,

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 5cde302c4f189621284f8b6127f935bf37034f16..90d55e441ab9518133df992f56bd9a7700e4ad9c 100644 (file)
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -900,7 +900,6 @@ struct nft_family_ops nft_family_ops_bridge = {
        .print_rule             = nft_bridge_print_rule,
        .save_rule              = nft_bridge_save_rule,
        .save_chain             = nft_bridge_save_chain,
-       .post_parse             = NULL,
        .rule_to_cs             = nft_rule_to_ebtables_command_state,
        .clear_cs               = ebt_cs_clean,
        .xlate                  = nft_bridge_xlate,

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index f36260980e82986e3ba92c39040ecc23d52e6a12..07da0a7edb3ac34eb69da5e2229dd5c5866c3936 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -510,8 +510,10 @@ struct nft_family_ops nft_family_ops_ipv4 = {
        .print_rule             = nft_ipv4_print_rule,
        .save_rule              = nft_ipv4_save_rule,
        .save_chain             = nft_ipv46_save_chain,
-       .proto_parse            = nft_ipv4_proto_parse,
-       .post_parse             = nft_ipv4_post_parse,
+       .cmd_parse              = {
+               .proto_parse    = nft_ipv4_proto_parse,
+               .post_parse     = nft_ipv4_post_parse,
+       },
        .parse_target           = nft_ipv46_parse_target,
        .rule_to_cs             = nft_rule_to_iptables_command_state,
        .clear_cs               = nft_clear_iptables_command_state,

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 132130880a43a07f4fc8030e5105d05f5c80e15b..4f80ed841f95c673e66e0787550958398492654b 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -495,8 +495,10 @@ struct nft_family_ops nft_family_ops_ipv6 = {
        .print_rule             = nft_ipv6_print_rule,
        .save_rule              = nft_ipv6_save_rule,
        .save_chain             = nft_ipv46_save_chain,
-       .proto_parse            = nft_ipv6_proto_parse,
-       .post_parse             = nft_ipv6_post_parse,
+       .cmd_parse              = {
+               .proto_parse    = nft_ipv6_proto_parse,
+               .post_parse     = nft_ipv6_post_parse,
+       },
        .parse_target           = nft_ipv46_parse_target,
        .rule_to_cs             = nft_rule_to_iptables_command_state,
        .clear_cs               = nft_clear_iptables_command_state,

diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 4948aef761d10b1c35046f7c4ba79b0c0efe23fb..195e5fed43075552d894900fb90d4fbd3f183d44 100644 (file)
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -100,10 +100,7 @@ struct nft_family_ops {
                           unsigned int num, unsigned int format);
        void (*save_rule)(const void *data, unsigned int format);
        void (*save_chain)(const struct nftnl_chain *c, const char *policy);
-       void (*proto_parse)(struct iptables_command_state *cs,
-                           struct xtables_args *args);
-       void (*post_parse)(int command, struct iptables_command_state *cs,
-                          struct xtables_args *args);
+       struct xt_cmd_parse_ops cmd_parse;
        void (*parse_match)(struct xtables_match *m, void *data);
        void (*parse_target)(struct xtables_target *t, void *data);
        void (*init_cs)(struct iptables_command_state *cs);
@@ -177,40 +174,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data);
 bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
 bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2);
 
-struct addr_mask {
-       union {
-               struct in_addr  *v4;
-               struct in6_addr *v6;
-               void *ptr;
-       } addr;
-
-       unsigned int naddrs;
-
-       union {
-               struct in_addr  *v4;
-               struct in6_addr *v6;
-               void *ptr;
-       } mask;
-};
-
-struct xtables_args {
-       int             family;
-       uint16_t        proto;
-       uint8_t         flags;
-       uint16_t        invflags;
-       char            iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-       unsigned char   iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-       bool            goto_set;
-       const char      *shostnetworkmask, *dhostnetworkmask;
-       const char      *pcnt, *bcnt;
-       struct addr_mask s, d;
-       const char      *src_mac, *dst_mac;
-       const char      *arp_hlen, *arp_opcode;
-       const char      *arp_htype, *arp_ptype;
-       unsigned long long pcnt_cnt, bcnt_cnt;
-};
-
-void do_parse(struct nft_handle *h, int argc, char *argv[],
+void do_parse(int argc, char *argv[],
              struct xt_cmd_parse *p, struct iptables_command_state *cs,
              struct xtables_args *args);
 

diff --git a/iptables/xshared.h b/iptables/xshared.h
index dde94b7335f6aecaa575f07c025281c2f17feaa6..34730be6ce004a79cf2832b73e79ba0ffeabb749 100644 (file)
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -262,6 +262,47 @@ int print_match_save(const struct xt_entry_match *e, const void *ip);
 void xtables_printhelp(const struct xtables_rule_match *matches);
 void exit_tryhelp(int status, int line) __attribute__((noreturn));
 
+struct addr_mask {
+       union {
+               struct in_addr  *v4;
+               struct in6_addr *v6;
+               void *ptr;
+       } addr;
+
+       unsigned int naddrs;
+
+       union {
+               struct in_addr  *v4;
+               struct in6_addr *v6;
+               void *ptr;
+       } mask;
+};
+
+struct xtables_args {
+       int             family;
+       uint16_t        proto;
+       uint8_t         flags;
+       uint16_t        invflags;
+       char            iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+       unsigned char   iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+       bool            goto_set;
+       const char      *shostnetworkmask, *dhostnetworkmask;
+       const char      *pcnt, *bcnt;
+       struct addr_mask s, d;
+       const char      *src_mac, *dst_mac;
+       const char      *arp_hlen, *arp_opcode;
+       const char      *arp_htype, *arp_ptype;
+       unsigned long long pcnt_cnt, bcnt_cnt;
+};
+
+struct xt_cmd_parse_ops {
+       void    (*proto_parse)(struct iptables_command_state *cs,
+                              struct xtables_args *args);
+       void    (*post_parse)(int command,
+                             struct iptables_command_state *cs,
+                             struct xtables_args *args);
+};
+
 struct xt_cmd_parse {
        unsigned int                    command;
        unsigned int                    rulenum;
@@ -272,6 +313,7 @@ struct xt_cmd_parse {
        bool                            restore;
        int                             verbose;
        bool                            xlate;
+       struct xt_cmd_parse_ops         *ops;
 };
 
 #endif /* IPTABLES_XSHARED_H */

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 9d312b244657e343a30fe883eb6472456b93eeeb..c287d3bdc75e0999a4df29b2717acce00f2e9453 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -252,6 +252,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
                .table          = *table,
                .restore        = restore,
                .xlate          = true,
+               .ops            = &h->ops->cmd_parse,
        };
        struct iptables_command_state cs = {
                .jumpto = "",
@@ -265,7 +266,7 @@ static int do_command_xlate(struct nft_handle *h, int argc, char *argv[],
        if (h->ops->init_cs)
                h->ops->init_cs(&cs);
 
-       do_parse(h, argc, argv, &p, &cs, &args);
+       do_parse(argc, argv, &p, &cs, &args);
 
        cs.restore = restore;
 

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 5e8c027b8471e122a403c72519cbd71a2ab0d1e6..59fc63d0fee865e1f32db3e64488b0528d7123ef 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -186,7 +186,7 @@ static void check_inverse(struct xtables_args *args, const char option[],
        }
 }
 
-void do_parse(struct nft_handle *h, int argc, char *argv[],
+void do_parse(int argc, char *argv[],
              struct xt_cmd_parse *p, struct iptables_command_state *cs,
              struct xtables_args *args)
 {
@@ -382,8 +382,8 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
                                           "rule would never match protocol");
 
                        /* This needs to happen here to parse extensions */
-                       if (h->ops->proto_parse)
-                               h->ops->proto_parse(cs, args);
+                       if (p->ops->proto_parse)
+                               p->ops->proto_parse(cs, args);
                        break;
 
                case 's':
@@ -653,7 +653,8 @@ void do_parse(struct nft_handle *h, int argc, char *argv[],
                xtables_error(PARAMETER_PROBLEM,
                           "nothing appropriate following !");
 
-       h->ops->post_parse(p->command, cs, args);
+       if (p->ops->post_parse)
+               p->ops->post_parse(p->command, cs, args);
 
        if (p->command == CMD_REPLACE &&
            (args->s.naddrs != 1 || args->d.naddrs != 1))
@@ -702,6 +703,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
        struct xt_cmd_parse p = {
                .table          = *table,
                .restore        = restore,
+               .ops            = &h->ops->cmd_parse,
        };
        struct iptables_command_state cs = {
                .jumpto = "",
@@ -714,7 +716,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table,
        if (h->ops->init_cs)
                h->ops->init_cs(&cs);
 
-       do_parse(h, argc, argv, &p, &cs, &args);
+       do_parse(argc, argv, &p, &cs, &args);
 
        if (!nft_table_builtin_find(h, p.table))
                xtables_error(VERSION_PROBLEM,