On Thu, Aug 03, 2023 at 09:39:13PM +0200, Florian Westphal wrote: > Mixing nftables and iptables-nft in the same table doesn't work, > but some people do this. > > v1.8.8 ignored rules it could not represent in iptables syntax, > v1.8.9 bails in this case. > > Add parsing of meta mark expressions so iptables-nft can render them > as -j MARK rules. > > This is flawed, nft has features that have no corresponding > syntax in iptables, but we can't undo this. > > Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1659 Intentionally not "Closes:"? > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > iptables/nft-ruleparse.c | 83 +++++++++++++++++++++++++++------------- > 1 file changed, 56 insertions(+), 27 deletions(-) > > diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c > index edbbfa40e9c4..44b9bcc268f4 100644 > --- a/iptables/nft-ruleparse.c > +++ b/iptables/nft-ruleparse.c > @@ -84,6 +84,37 @@ nft_create_match(struct nft_xt_ctx *ctx, > return match->m->data; > } > > +static void * > +nft_create_target(struct nft_xt_ctx *ctx, > + struct iptables_command_state *cs, > + const char *name) Please hold back a bit, I have a better implementation of this function lingering locally. Will adjust and submit both in a minute. Thanks, Phil
