If set, create rules using compat expressions where possible and disable
the bitwise expression avoidance introduced in 323259001d617 ("nft:
Optimize class-based IP prefix matches").
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-shared.c | 2 +-
iptables/nft.c | 10 ++++++----
iptables/nft.h | 1 +
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 34ca9d16569d0..5e0ca00e7dd36 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -198,7 +198,7 @@ void add_addr(struct nft_handle *h, struct nftnl_rule *r,
for (i = 0; i < len; i++) {
if (m[i] != 0xff) {
- bitwise = m[i] != 0;
+ bitwise = h->compat || m[i] != 0;
break;
}
}
diff --git a/iptables/nft.c b/iptables/nft.c
index 1fc12b0c659c7..09ff9cf11e195 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1476,10 +1476,12 @@ int add_match(struct nft_handle *h, struct nft_rule_ctx *ctx,
case NFT_COMPAT_RULE_APPEND:
case NFT_COMPAT_RULE_INSERT:
case NFT_COMPAT_RULE_REPLACE:
- if (!strcmp(m->u.user.name, "limit"))
- return add_nft_limit(r, m);
- else if (!strcmp(m->u.user.name, "among"))
+ if (!strcmp(m->u.user.name, "among"))
return add_nft_among(h, r, m);
+ else if (h->compat)
+ break;
+ else if (!strcmp(m->u.user.name, "limit"))
+ return add_nft_limit(r, m);
else if (!strcmp(m->u.user.name, "udp"))
return add_nft_udp(h, r, m);
else if (!strcmp(m->u.user.name, "tcp"))
@@ -1544,7 +1546,7 @@ int add_target(struct nft_handle *h, struct nftnl_rule *r,
struct nftnl_expr *expr;
int ret;
- if (strcmp(t->u.user.name, "TRACE") == 0)
+ if (!h->compat && strcmp(t->u.user.name, "TRACE") == 0)
return add_meta_nftrace(r);
expr = nftnl_expr_alloc("target");
diff --git a/iptables/nft.h b/iptables/nft.h
index a89aff0af68d0..fb9fc81ea2704 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -111,6 +111,7 @@ struct nft_handle {
struct list_head cmd_list;
bool cache_init;
int verbose;
+ bool compat;
/* meta data, for error reporting */
struct {
--
2.40.0
