@@ -271,6 +271,9 @@ struct xtables_match
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
+ /* NFT related */
+ int (*to_nft)(struct nft_rule *r, struct xt_entry_match *);
+
/* Size of per-extension instance extra "global" scratch space */
size_t udata_size;
@@ -573,17 +573,21 @@ static int __add_match(struct nft_rule_expr *e, struct xt_entry_match *m)
return 0;
}
-static int add_match(struct nft_rule *r, struct xt_entry_match *m)
+static int add_match(struct nft_rule *r, struct xtables_match *match)
{
- struct nft_rule_expr *expr;
int ret;
- expr = nft_rule_expr_alloc("match");
- if (expr == NULL)
- return -ENOMEM;
+ if (match->to_nft == NULL) {
+ struct nft_rule_expr *expr;
- ret = __add_match(expr, m);
- nft_rule_add_expr(r, expr);
+ expr = nft_rule_expr_alloc("match");
+ if (expr == NULL)
+ return -ENOMEM;
+
+ ret = __add_match(expr, match->m);
+ nft_rule_add_expr(r, expr);
+ } else
+ ret = match->to_nft(r, match->m);
return ret;
}
@@ -712,7 +716,7 @@ nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
ip_flags = h->ops->add(r, cs);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
- if (add_match(r, matchp->match->m) < 0)
+ if (add_match(r, matchp->match) < 0)
goto err;
}
This bring the support for xtables matches extentions to be translated to pure nft expression list in the given rule. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> --- include/xtables.h | 3 +++ iptables/nft.c | 20 ++++++++++++-------- 2 files changed, 15 insertions(+), 8 deletions(-)