nft: decode meta l4proto

Allow to show '-p tcp' in case rule was added by nft (which prefers
use of meta l4proto).

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 0cfe84e11b2d930561e876e91f07420b2a22090b..eaf861d1f76e7ee16e82b48b9686bea497189653 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -172,6 +172,16 @@ static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 {
        struct iptables_command_state *cs = data;
 
+       switch (ctx->meta.key) {
+       case NFT_META_L4PROTO:
+               cs->fw.ip.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+               if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
+                       cs->fw.ip.invflags |= XT_INV_PROTO;
+               return;
+       default:
+               break;
+       }
+
        parse_meta(e, ctx->meta.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
                   cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
                   &cs->fw.ip.invflags);

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index a33d4573b4df68e52177e610f380ef5044c014e9..5315aba647be3d0fd50ecfbe6fa8a8248381a8af 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -115,6 +115,16 @@ static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 {
        struct iptables_command_state *cs = data;
 
+       switch (ctx->meta.key) {
+       case NFT_META_L4PROTO:
+               cs->fw6.ipv6.proto = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+               if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
+                       cs->fw6.ipv6.invflags |= XT_INV_PROTO;
+               return;
+       default:
+               break;
+       }
+
        parse_meta(e, ctx->meta.key, cs->fw6.ipv6.iniface,
                   cs->fw6.ipv6.iniface_mask, cs->fw6.ipv6.outiface,
                   cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags);