If set, create rules using compat expressions where possible and disable
the bitwise expression avoidance introduced in 323259001d617 ("nft:
Optimize class-based IP prefix matches").
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-shared.c | 2 +-
iptables/nft.c | 6 +++++-
iptables/nft.h | 1 +
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 12860fbf6d575..8e7a706f8765d 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r,
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
- bitwise = m[i] != 0;
+ bitwise = h->compat || m[i] != 0;
break;
}
}
diff --git a/iptables/nft.c b/iptables/nft.c
index 55f98c164846e..786e4a12cf720 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1468,6 +1468,9 @@ int add_match(struct nft_handle *h,
struct nftnl_expr *expr;
int ret;
+ if (h->compat && strcmp(m->u.user.name, "among"))
+ goto add_compat_expr;
+
if (!strcmp(m->u.user.name, "limit"))
return add_nft_limit(r, m);
else if (!strcmp(m->u.user.name, "among"))
@@ -1479,6 +1482,7 @@ int add_match(struct nft_handle *h,
else if (!strcmp(m->u.user.name, "mark"))
return add_nft_mark(h, r, m);
+add_compat_expr:
expr = nftnl_expr_alloc("match");
if (expr == NULL)
return -ENOMEM;
@@ -1532,7 +1536,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r,
struct nftnl_expr *expr;
int ret;
- if (strcmp(t->u.user.name, "TRACE") == 0)
+ if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0)
return add_meta_nftrace(r);
expr = nftnl_expr_alloc("target");
diff --git a/iptables/nft.h b/iptables/nft.h
index c8d5bfdc50871..6f56f5b46e775 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -111,6 +111,7 @@ struct nft_handle {
struct list_head cmd_list;
bool cache_init;
int verbose;
+ bool compat;
/* meta data, for error reporting */
struct {
--
2.40.0
