Hi Tomasz, this patch permit to translate ebt flags to ip flags, and vice versa. Could you review it please? I think I forgetting something, probably you can't compile it since previous patches are missing. Thanks Signed-off-by: Giuseppe Longo <giuseppelng@xxxxxxxxx> --- include/linux/netfilter_bridge/ebtables.h | 1 - iptables/nft-bridge.c | 45 ++++++++++++++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h index 8f520c6..c841f58 100644 --- a/include/linux/netfilter_bridge/ebtables.h +++ b/include/linux/netfilter_bridge/ebtables.h @@ -13,7 +13,6 @@ /* Local copy of the kernel file, needed for Sparc64 support */ #ifndef __LINUX_BRIDGE_EFF_H #define __LINUX_BRIDGE_EFF_H -#include <linux/if.h> #include <linux/netfilter_bridge.h> #include <linux/if_ether.h> diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c index 5c28b43..4a1a1e8 100644 --- a/iptables/nft-bridge.c +++ b/iptables/nft-bridge.c @@ -11,9 +11,52 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <net/if.h> +#include <stdint.h> +#include <linux/netfilter_bridge/ebtables.h> + +#include "nft-shared.h" #include "nft.h" +static uint8_t ebt_to_ipt_flags(uint16_t invflags) +{ + uint8_t result = 0; + + if (invflags & EBT_IIN) + result |= IPT_INV_VIA_IN; + + if (invflags & EBT_IOUT) + result |= IPT_INV_VIA_OUT; + + if (invflags & EBT_IPROTO) + result |= IPT_INV_PROTO; + + if (invflags & EBT_INV_MASK) + result |= IPT_INV_MASK; + + return result; +} + +static uint16_t ipt_to_ebt_flags(uint8_t invflags) +{ + uint16_t result = 0; + + if (invflags & IPT_INV_VIA_IN) + result |= EBT_IIN; + + if (invflags & IPT_INV_VIA_OUT) + result |= EBT_IOUT; + + if (invflags & IPT_INV_PROTO) + result |= EBT_IPROTO; + + if (invflags & IPT_INV_MASK) + result |= EBT_INV_MASK; + + return result; +} + /* Be backwards compatible, so don't use '+' in kernel */ #define IF_WILDCARD 1 static void print_iface(const char *iface) @@ -194,4 +237,4 @@ struct nft_family_ops nft_family_ops_bridge = { .post_parse = NULL, .rule_find = NULL, .parse_target = NULL, -}; \ No newline at end of file +}; -- 1.8.1.5 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html