Patchwork [iptables-nftables,5/6] xtables: add support for translating xtables matches into nft expressions

login
register
mail settings
Submitter Tomasz Bursztyka
Date May 14, 2013, 10:52 a.m.
Message ID <1368528727-10127-6-git-send-email-tomasz.bursztyka@linux.intel.com>
Download mbox | patch
Permalink /patch/243677/
State RFC
Headers show

Comments

Tomasz Bursztyka - May 14, 2013, 10:52 a.m.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
---
 include/xtables.h.in |  3 +++
 iptables/nft.c       | 21 ++++++++++++++-------
 2 files changed, 17 insertions(+), 7 deletions(-)

Patch

diff --git a/include/xtables.h.in b/include/xtables.h.in
index 74df61f..407c382 100644
--- a/include/xtables.h.in
+++ b/include/xtables.h.in
@@ -261,6 +261,9 @@  struct xtables_match
 	void (*x6_fcheck)(struct xt_fcheck_call *);
 	const struct xt_option_entry *x6_options;
 
+	/* NFT related */
+	struct nft_rule_expr_list *(*translate_to_nft)(struct xt_entry_match *);
+
 	/* Size of per-extension instance extra "global" scratch space */
 	size_t udata_size;
 
diff --git a/iptables/nft.c b/iptables/nft.c
index 341d092..70aa1f8 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -562,16 +562,23 @@  static void __add_match(struct nft_rule_expr *e, struct xt_entry_match *m)
 	nft_rule_expr_set(e, NFT_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m));
 }
 
-static void add_match(struct nft_rule *r, struct xt_entry_match *m)
+static void add_match(struct nft_rule *r, struct xtables_match *match)
 {
 	struct nft_rule_expr *expr;
+	struct nft_rule_expr_list *expr_list;
 
-	expr = nft_rule_expr_alloc("match");
-	if (expr == NULL)
-		return;
+	if (match->translate_to_nft == NULL) {
+		expr = nft_rule_expr_alloc("match");
+		if (expr == NULL)
+			return;
 
-	__add_match(expr, m);
-	nft_rule_add_expr(r, expr);
+		__add_match(expr, match->m);
+		nft_rule_add_expr(r, expr);
+	} else {
+		expr_list = match->translate_to_nft(match->m);
+		if (expr_list != NULL)
+			nft_rule_add_expr_list(r, expr_list);
+	}
 }
 
 static void __add_target(struct nft_rule_expr *e, struct xt_entry_target *t)
@@ -702,7 +709,7 @@  nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
 	ip_flags = h->ops->add(r, cs);
 
 	for (matchp = cs->matches; matchp; matchp = matchp->next)
-		add_match(r, matchp->match->m);
+		add_match(r, matchp->match);
 
 	/* Counters need to me added before the target, otherwise they are
 	 * increased for each rule because of the way nf_tables works.