nft: Introduce and use bool nft_handle::compat

If set, create rules using compat expressions where possible and disable
the bitwise expression avoidance introduced in 323259001d617 ("nft:
Optimize class-based IP prefix matches").

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 34ca9d16569d0a329095518c964d9bbb8466c9c5..5e0ca00e7dd3670d9493f094b1eb5b864fe2fc72 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r,
 
        for (i = 0; i < len; i++) {
                if (m[i] != 0xff) {
-                       bitwise = m[i] != 0;
+                       bitwise = h->compat || m[i] != 0;
                        break;
                }
        }

diff --git a/iptables/nft.c b/iptables/nft.c
index 1fc12b0c659c7bb56f7d543cc1d8d5c88b5013a5..09ff9cf11e195dcded01870cfc6be9d88b337eb3 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1476,10 +1476,12 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
        case NFT_COMPAT_RULE_APPEND:
        case NFT_COMPAT_RULE_INSERT:
        case NFT_COMPAT_RULE_REPLACE:
-               if (!strcmp(m->u.user.name, "limit"))
-                       return add_nft_limit(r, m);
-               else if (!strcmp(m->u.user.name, "among"))
+               if (!strcmp(m->u.user.name, "among"))
                        return add_nft_among(h, r, m);
+               else if (h->compat)
+                       break;
+               else if (!strcmp(m->u.user.name, "limit"))
+                       return add_nft_limit(r, m);
                else if (!strcmp(m->u.user.name, "udp"))
                        return add_nft_udp(h, r, m);
                else if (!strcmp(m->u.user.name, "tcp"))
@@ -1544,7 +1546,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r,
        struct nftnl_expr *expr;
        int ret;
 
-       if (strcmp(t->u.user.name, "TRACE") == 0)
+       if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0)
                return add_meta_nftrace(r);
 
        expr = nftnl_expr_alloc("target");

diff --git a/iptables/nft.h b/iptables/nft.h
index a89aff0af68d01f1d2dbbc077cdbbf49f68813f8..fb9fc81ea270466ff4a8dd49355c6664d6dd5bde 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -111,6 +111,7 @@ struct nft_handle {
        struct list_head        cmd_list;
        bool                    cache_init;
        int                     verbose;
+       bool                    compat;
 
        /* meta data, for error reporting */
        struct {