On 21 August 2016 at 20:10, Pablo M. Bermudo Garay <pablombg@xxxxxxxxx> wrote:
> This patch adds a verification of the compatibility between the nft
> ruleset and iptables. If the nft ruleset is not compatible with
> iptables, the execution stops and an error message is displayed to the
> user.
>
> This checking is triggered by xtables-compat -L and xtables-compat-save
> commands.
>
> Signed-off-by: Pablo M. Bermudo Garay <pablombg@xxxxxxxxx>
> ---
> iptables/nft.c | 166 ++++++++++++++++++++++++++++++++++++++++++++++++
> iptables/nft.h | 2 +
> iptables/xtables-save.c | 5 ++
> iptables/xtables.c | 5 ++
> 4 files changed, 178 insertions(+)
>
> diff --git a/iptables/nft.c b/iptables/nft.c
> index 247a60a..7389689 100644
> --- a/iptables/nft.c
> +++ b/iptables/nft.c
> @@ -2698,3 +2698,169 @@ uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag)
>
> return NFT_CMP_EQ;
> }
> +
> +static int nft_is_rule_compatible(struct nftnl_rule *rule)
> +{
> + struct nftnl_expr_iter *iter;
> + struct nftnl_expr *expr;
> +
> + iter = nftnl_expr_iter_create(rule);
> + if (iter == NULL)
> + return -1;
> +
> + expr = nftnl_expr_iter_next(iter);
> + while (expr != NULL) {
> + const char *name = nftnl_expr_get_str(expr, NFTNL_EXPR_NAME);
> +
> + if (strcmp(name, "counter") &&
> + strcmp(name, "match") &&
> + strcmp(name, "target") &&
> + strcmp(name, "payload") &&
> + strcmp(name, "meta") &&
> + strcmp(name, "bitwise") &&
> + strcmp(name, "cmp") &&
> + strcmp(name, "immediate") &&
> + strcmp(name, "match") &&
> + strcmp(name, "target")) {
> + nftnl_expr_iter_destroy(iter);
> + return 1;
> + }
> +
> + expr = nftnl_expr_iter_next(iter);
> + }
> +
> + nftnl_expr_iter_destroy(iter);
> + return 0;
> +}
> +
I don't fully understand this logic. It seems there are expression
names which are repeated. Is that intended?
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
