[iptables PATCH 05/17] xtables: Introduce rule_to_cs/clear_cs callbacks

Phil Sutter <phil@xxxxxx> · Thu, 19 Jul 2018 18:31:57 +0200

This introduces callbacks in nft_family_ops for parsing an nftnl rule
into iptables_command_state and clearing it afterwards.

Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 iptables/nft-arp.c    | 2 ++
 iptables/nft-bridge.c | 4 +++-
 iptables/nft-ipv4.c   | 2 ++
 iptables/nft-ipv6.c   | 2 ++
 iptables/nft-shared.c | 5 +++++
 iptables/nft-shared.h | 4 ++++
 6 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 06d8664790f4e..164c3971f1f4f 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -667,6 +667,8 @@ struct nft_family_ops nft_family_ops_arp = {
 	.save_firewall		= NULL,
 	.save_counters		= NULL,
 	.post_parse		= NULL,
+	.rule_to_cs		= nft_rule_to_arptables_command_state,
+	.clear_cs		= NULL,
 	.rule_find		= nft_arp_rule_find,
 	.parse_target		= nft_arp_parse_target,
 };
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 4b3c163b2d4a4..3834d6dd805bd 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -347,7 +347,7 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
 	cs->target = t;
 }
 
-static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
+static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,
 					       struct iptables_command_state *cs)
 {
 	cs->eb.bitmask = EBT_NOPROTO;
@@ -733,6 +733,8 @@ struct nft_family_ops nft_family_ops_bridge = {
 	.save_firewall		= NULL,
 	.save_counters		= NULL,
 	.post_parse		= NULL,
+	.rule_to_cs		= nft_rule_to_ebtables_command_state,
+	.clear_cs		= ebt_cs_clean,
 	.rule_find		= nft_bridge_rule_find,
 	.xlate			= nft_bridge_xlate,
 };
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index bddd784c086d6..36258c9796c84 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -519,6 +519,8 @@ struct nft_family_ops nft_family_ops_ipv4 = {
 	.proto_parse		= nft_ipv4_proto_parse,
 	.post_parse		= nft_ipv4_post_parse,
 	.parse_target		= nft_ipv4_parse_target,
+	.rule_to_cs		= nft_rule_to_iptables_command_state,
+	.clear_cs		= nft_clear_iptables_command_state,
 	.rule_find		= nft_ipv4_rule_find,
 	.xlate			= nft_ipv4_xlate,
 };
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 79c02e4412251..419260199ba09 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -474,6 +474,8 @@ struct nft_family_ops nft_family_ops_ipv6 = {
 	.proto_parse		= nft_ipv6_proto_parse,
 	.post_parse		= nft_ipv6_post_parse,
 	.parse_target		= nft_ipv6_parse_target,
+	.rule_to_cs		= nft_rule_to_iptables_command_state,
+	.clear_cs		= nft_clear_iptables_command_state,
 	.rule_find		= nft_ipv6_rule_find,
 	.xlate			= nft_ipv6_xlate,
 };
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 12c22a4080601..87d48bf620bb5 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -626,6 +626,11 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 		cs->jumpto = "";
 }
 
+void nft_clear_iptables_command_state(struct iptables_command_state *cs)
+{
+	xtables_rule_matches_free(&cs->matches);
+}
+
 void print_header(unsigned int format, const char *chain, const char *pol,
 		  const struct xt_counters *counters, bool basechain,
 		  uint32_t refs)
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 2ad1ae6bd1651..8172c8731151a 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -101,6 +101,9 @@ struct nft_family_ops {
 			   struct xtables_args *args);
 	void (*parse_match)(struct xtables_match *m, void *data);
 	void (*parse_target)(struct xtables_target *t, void *data);
+	void (*rule_to_cs)(const struct nftnl_rule *r,
+			   struct iptables_command_state *cs);
+	void (*clear_cs)(struct iptables_command_state *cs);
 	bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
 			  void *data);
 	int (*xlate)(const void *data, struct xt_xlate *xl);
@@ -144,6 +147,7 @@ void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters);
 void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e);
 void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
 					struct iptables_command_state *cs);
+void nft_clear_iptables_command_state(struct iptables_command_state *cs);
 void print_header(unsigned int format, const char *chain, const char *pol,
 		  const struct xt_counters *counters, bool basechain,
 		  uint32_t refs);
-- 
2.18.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






