@@ -22,7 +22,7 @@
#include "nft-bridge.h"
#include "nft.h"
-void ebt_cs_clean(struct ebtables_command_state *cs)
+void ebt_cs_clean(struct iptables_command_state *cs)
{
struct ebt_match *m, *nm;
@@ -131,7 +131,7 @@ static void add_logical_outiface(struct nftnl_rule *r, char *iface, uint32_t op)
/* TODO: Use generic add_action() once we convert this to use
* iptables_command_state.
*/
-static int _add_action(struct nftnl_rule *r, struct ebtables_command_state *cs)
+static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
{
int ret = 0;
@@ -159,9 +159,9 @@ static int _add_action(struct nftnl_rule *r, struct ebtables_command_state *cs)
static int nft_bridge_add(struct nftnl_rule *r, void *data)
{
- struct ebtables_command_state *cs = data;
+ struct iptables_command_state *cs = data;
struct ebt_match *iter;
- struct ebt_entry *fw = &cs->fw;
+ struct ebt_entry *fw = &cs->eb;
uint32_t op;
char *addr;
@@ -233,8 +233,8 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
struct nftnl_expr *e, void *data)
{
- struct ebtables_command_state *cs = data;
- struct ebt_entry *fw = &cs->fw;
+ struct iptables_command_state *cs = data;
+ struct ebt_entry *fw = &cs->eb;
uint8_t flags = 0;
int iface = 0;
const void *ifname;
@@ -287,8 +287,8 @@ out:
static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
struct nftnl_expr *e, void *data)
{
- struct ebtables_command_state *cs = data;
- struct ebt_entry *fw = &cs->fw;
+ struct iptables_command_state *cs = data;
+ struct ebt_entry *fw = &cs->eb;
unsigned char addr[ETH_ALEN];
unsigned short int ethproto;
bool inv;
@@ -334,7 +334,7 @@ static void nft_bridge_parse_payload(struct nft_xt_ctx *ctx,
static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
void *data)
{
- struct ebtables_command_state *cs = data;
+ struct iptables_command_state *cs = data;
cs->jumpto = jumpto;
}
@@ -362,14 +362,14 @@ static void parse_watcher(void *object, struct ebt_match **match_list,
static void nft_bridge_parse_match(struct xtables_match *m, void *data)
{
- struct ebtables_command_state *cs = data;
+ struct iptables_command_state *cs = data;
parse_watcher(m, &cs->match_list, true);
}
static void nft_bridge_parse_target(struct xtables_target *t, void *data)
{
- struct ebtables_command_state *cs = data;
+ struct iptables_command_state *cs = data;
/* harcoded names :-( */
if (strcmp(t->name, "log") == 0 ||
@@ -381,55 +381,11 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
cs->target = t;
}
-void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
- struct ebtables_command_state *cs)
+static void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
+ struct iptables_command_state *cs)
{
- struct nftnl_expr_iter *iter;
- struct nftnl_expr *expr;
- int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY);
- struct nft_xt_ctx ctx = {
- .state.cs_eb = cs,
- .family = family,
- };
-
- iter = nftnl_expr_iter_create(r);
- if (iter == NULL)
- return;
-
- expr = nftnl_expr_iter_next(iter);
- while (expr != NULL) {
- const char *name =
- nftnl_expr_get_str(expr, NFTNL_EXPR_NAME);
-
- if (strcmp(name, "counter") == 0)
- nft_parse_counter(expr, &cs->counters);
- else if (strcmp(name, "payload") == 0)
- nft_parse_payload(&ctx, expr);
- else if (strcmp(name, "meta") == 0)
- nft_parse_meta(&ctx, expr);
- else if (strcmp(name, "bitwise") == 0)
- nft_parse_bitwise(&ctx, expr);
- else if (strcmp(name, "cmp") == 0)
- nft_parse_cmp(&ctx, expr);
- else if (strcmp(name, "immediate") == 0)
- nft_parse_immediate(&ctx, expr);
- else if (strcmp(name, "match") == 0)
- nft_parse_match(&ctx, expr);
- else if (strcmp(name, "target") == 0)
- nft_parse_target(&ctx, expr);
-
- expr = nftnl_expr_iter_next(iter);
- }
-
- nftnl_expr_iter_destroy(iter);
-
- if (cs->jumpto != NULL)
- return;
-
- if (cs->target != NULL && cs->target->name != NULL)
- cs->target = xtables_find_target(cs->target->name, XTF_TRY_LOAD);
- else
- cs->jumpto = "CONTINUE";
+ cs->eb.bitmask = EBT_NOPROTO;
+ nft_rule_to_iptables_command_state(r, cs);
}
static void print_iface(const char *iface)
@@ -463,7 +419,7 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num,
struct xtables_match *matchp;
struct xtables_target *watcherp;
struct ebt_match *m;
- struct ebtables_command_state cs = {};
+ struct iptables_command_state cs = {};
char *addr;
nft_rule_to_ebtables_command_state(r, &cs);
@@ -473,67 +429,67 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num,
/* Dont print anything about the protocol if no protocol was
* specified, obviously this means any protocol will do. */
- if (cs.fw.ethproto != 0) {
+ if (cs.eb.ethproto != 0) {
printf("-p ");
- if (cs.fw.invflags & EBT_IPROTO)
+ if (cs.eb.invflags & EBT_IPROTO)
printf("! ");
- if (cs.fw.bitmask & EBT_802_3)
+ if (cs.eb.bitmask & EBT_802_3)
printf("Length ");
else {
struct ethertypeent *ent;
- ent = getethertypebynumber(ntohs(cs.fw.ethproto));
+ ent = getethertypebynumber(ntohs(cs.eb.ethproto));
if (!ent)
- printf("0x%x ", ntohs(cs.fw.ethproto));
+ printf("0x%x ", ntohs(cs.eb.ethproto));
else
printf("%s ", ent->e_name);
}
}
- addr = ether_ntoa((struct ether_addr *) cs.fw.sourcemac);
+ addr = ether_ntoa((struct ether_addr *) cs.eb.sourcemac);
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
printf("-s ");
- if (cs.fw.invflags & EBT_ISOURCE)
+ if (cs.eb.invflags & EBT_ISOURCE)
printf("! ");
- ebt_print_mac_and_mask(cs.fw.sourcemac, cs.fw.sourcemsk);
+ ebt_print_mac_and_mask(cs.eb.sourcemac, cs.eb.sourcemsk);
printf(" ");
}
- addr = ether_ntoa((struct ether_addr *) cs.fw.destmac);
+ addr = ether_ntoa((struct ether_addr *) cs.eb.destmac);
if (strcmp(addr, "0:0:0:0:0:0") != 0) {
printf("-d ");
- if (cs.fw.invflags & EBT_IDEST)
+ if (cs.eb.invflags & EBT_IDEST)
printf("! ");
- ebt_print_mac_and_mask(cs.fw.destmac, cs.fw.destmsk);
+ ebt_print_mac_and_mask(cs.eb.destmac, cs.eb.destmsk);
printf(" ");
}
- if (cs.fw.in[0] != '\0') {
+ if (cs.eb.in[0] != '\0') {
printf("-i ");
- if (cs.fw.invflags & EBT_IIN)
+ if (cs.eb.invflags & EBT_IIN)
printf("! ");
- print_iface(cs.fw.in);
+ print_iface(cs.eb.in);
}
- if (cs.fw.logical_in[0] != '\0') {
+ if (cs.eb.logical_in[0] != '\0') {
printf("--logical-in ");
- if (cs.fw.invflags & EBT_ILOGICALIN)
+ if (cs.eb.invflags & EBT_ILOGICALIN)
printf("! ");
- print_iface(cs.fw.logical_in);
+ print_iface(cs.eb.logical_in);
}
- if (cs.fw.logical_out[0] != '\0') {
+ if (cs.eb.logical_out[0] != '\0') {
printf("--logical-out ");
- if (cs.fw.invflags & EBT_ILOGICALOUT)
+ if (cs.eb.invflags & EBT_ILOGICALOUT)
printf("! ");
- print_iface(cs.fw.logical_out);
+ print_iface(cs.eb.logical_out);
}
- if (cs.fw.out[0] != '\0') {
+ if (cs.eb.out[0] != '\0') {
printf("-o ");
- if (cs.fw.invflags & EBT_IOUT)
+ if (cs.eb.invflags & EBT_IOUT)
printf("! ");
- print_iface(cs.fw.out);
+ print_iface(cs.eb.out);
}
for (m = cs.match_list; m; m = m->next) {
@@ -554,8 +510,12 @@ static void nft_bridge_print_firewall(struct nftnl_rule *r, unsigned int num,
printf("-j ");
- if (cs.jumpto != NULL)
- printf("%s", cs.jumpto);
+ if (cs.jumpto != NULL) {
+ if (strcmp(cs.jumpto, "") != 0)
+ printf("%s", cs.jumpto);
+ else
+ printf("CONTINUE");
+ }
else if (cs.target != NULL && cs.target->print != NULL)
cs.target->print(&cs.fw, cs.target->t, format & FMT_NUMERIC);
@@ -623,8 +583,8 @@ static bool nft_bridge_is_same(const void *data_a, const void *data_b)
static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
void *data)
{
- struct ebtables_command_state *cs = data;
- struct ebtables_command_state this = {};
+ struct iptables_command_state *cs = data;
+ struct iptables_command_state this = {};
nft_rule_to_ebtables_command_state(r, &this);
@@ -651,7 +611,7 @@ static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *
return true;
}
-static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xlate *xl)
+static int xlate_ebmatches(const struct iptables_command_state *cs, struct xt_xlate *xl)
{
int ret = 1, numeric = cs->options & OPT_NUMERIC;
struct ebt_match *m;
@@ -660,7 +620,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl
if (m->ismatch) {
struct xtables_match *matchp = m->u.match;
struct xt_xlate_mt_params mt_params = {
- .ip = (const void *)&cs->fw,
+ .ip = (const void *)&cs->eb,
.numeric = numeric,
.escape_quotes = false,
.match = matchp->m,
@@ -673,7 +633,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl
} else {
struct xtables_target *watcherp = m->u.watcher;
struct xt_xlate_tg_params wt_params = {
- .ip = (const void *)&cs->fw,
+ .ip = (const void *)&cs->eb,
.numeric = numeric,
.escape_quotes = false,
.target = watcherp->t,
@@ -692,7 +652,7 @@ static int xlate_ebmatches(const struct ebtables_command_state *cs, struct xt_xl
return ret;
}
-static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xlate *xl)
+static int xlate_ebaction(const struct iptables_command_state *cs, struct xt_xlate *xl)
{
int ret = 1, numeric = cs->options & OPT_NUMERIC;
@@ -708,7 +668,7 @@ static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xla
else if (cs->target->xlate) {
xt_xlate_add(xl, " ");
struct xt_xlate_tg_params params = {
- .ip = (const void *)&cs->fw,
+ .ip = (const void *)&cs->eb,
.target = cs->target->t,
.numeric = numeric,
};
@@ -726,51 +686,51 @@ static int xlate_ebaction(const struct ebtables_command_state *cs, struct xt_xla
static int nft_bridge_xlate(const void *data, struct xt_xlate *xl)
{
- const struct ebtables_command_state *cs = data;
+ const struct iptables_command_state *cs = data;
char one_msk[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
char zero_msk[ETH_ALEN] = {};
const char *addr;
int ret;
- xlate_ifname(xl, "iifname", cs->fw.in,
- cs->fw.invflags & EBT_IIN);
- xlate_ifname(xl, "oifname", cs->fw.out,
- cs->fw.invflags & EBT_IOUT);
+ xlate_ifname(xl, "iifname", cs->eb.in,
+ cs->eb.invflags & EBT_IIN);
+ xlate_ifname(xl, "oifname", cs->eb.out,
+ cs->eb.invflags & EBT_IOUT);
- xlate_ifname(xl, "meta ibridgename", cs->fw.logical_in,
- cs->fw.invflags & EBT_ILOGICALIN);
- xlate_ifname(xl, "meta obridgename", cs->fw.logical_out,
- cs->fw.invflags & EBT_ILOGICALOUT);
+ xlate_ifname(xl, "meta ibridgename", cs->eb.logical_in,
+ cs->eb.invflags & EBT_ILOGICALIN);
+ xlate_ifname(xl, "meta obridgename", cs->eb.logical_out,
+ cs->eb.invflags & EBT_ILOGICALOUT);
- if (cs->fw.ethproto != 0) {
+ if (cs->eb.ethproto != 0) {
xt_xlate_add(xl, "ether type %s 0x%x ",
- cs->fw.invflags & EBT_IPROTO ? "!= " : "",
- ntohs(cs->fw.ethproto));
+ cs->eb.invflags & EBT_IPROTO ? "!= " : "",
+ ntohs(cs->eb.ethproto));
}
- if (cs->fw.bitmask & EBT_802_3)
+ if (cs->eb.bitmask & EBT_802_3)
return 0;
- if (memcmp(cs->fw.sourcemac, zero_msk, sizeof(cs->fw.sourcemac))) {
- addr = ether_ntoa((struct ether_addr *) cs->fw.sourcemac);
+ if (memcmp(cs->eb.sourcemac, zero_msk, sizeof(cs->eb.sourcemac))) {
+ addr = ether_ntoa((struct ether_addr *) cs->eb.sourcemac);
xt_xlate_add(xl, "ether saddr %s%s ",
- cs->fw.invflags & EBT_ISOURCE ? "!= " : "", addr);
+ cs->eb.invflags & EBT_ISOURCE ? "!= " : "", addr);
- if (memcmp(cs->fw.sourcemsk, one_msk, sizeof(cs->fw.sourcemsk))) {
- addr = ether_ntoa((struct ether_addr *) cs->fw.sourcemsk);
+ if (memcmp(cs->eb.sourcemsk, one_msk, sizeof(cs->eb.sourcemsk))) {
+ addr = ether_ntoa((struct ether_addr *) cs->eb.sourcemsk);
xt_xlate_add(xl, "and %s ", addr);
}
}
- if (memcmp(cs->fw.destmac, zero_msk, sizeof(cs->fw.destmac))) {
- addr = ether_ntoa((struct ether_addr *) cs->fw.destmac);
+ if (memcmp(cs->eb.destmac, zero_msk, sizeof(cs->eb.destmac))) {
+ addr = ether_ntoa((struct ether_addr *) cs->eb.destmac);
xt_xlate_add(xl, "ether daddr %s %s ",
- cs->fw.invflags & EBT_ISOURCE ? "!= " : "", addr);
+ cs->eb.invflags & EBT_ISOURCE ? "!= " : "", addr);
- if (memcmp(cs->fw.destmsk, one_msk, sizeof(cs->fw.destmsk))) {
- addr = ether_ntoa((struct ether_addr *) cs->fw.destmsk);
+ if (memcmp(cs->eb.destmsk, one_msk, sizeof(cs->eb.destmsk))) {
+ addr = ether_ntoa((struct ether_addr *) cs->eb.destmsk);
xt_xlate_add(xl, "and %s ", addr);
}
}
@@ -70,57 +70,7 @@ int ebt_get_mac_and_mask(const char *from, unsigned char *to, unsigned char *mas
*/
#define EBT_VERDICT_BITS 0x0000000F
-/* Fake ebt_entry */
-struct ebt_entry {
- /* this needs to be the first field */
- unsigned int bitmask;
- unsigned int invflags;
- uint16_t ethproto;
- /* the physical in-dev */
- char in[IFNAMSIZ];
- /* the logical in-dev */
- char logical_in[IFNAMSIZ];
- /* the physical out-dev */
- char out[IFNAMSIZ];
- /* the logical out-dev */
- char logical_out[IFNAMSIZ];
- unsigned char sourcemac[ETH_ALEN];
- unsigned char sourcemsk[ETH_ALEN];
- unsigned char destmac[ETH_ALEN];
- unsigned char destmsk[ETH_ALEN];
-
- unsigned char in_mask[IFNAMSIZ];
- unsigned char out_mask[IFNAMSIZ];
-};
-
-/* trick for ebtables-compat, since watchers are targets */
-struct ebt_match {
- struct ebt_match *next;
- union {
- struct xtables_match *match;
- struct xtables_target *watcher;
- } u;
- bool ismatch;
-};
-
-struct ebtables_command_state {
- struct ebt_entry fw;
- struct xtables_target *target;
- struct xtables_rule_match *matches;
- struct ebt_match *match_list;
- const char *jumpto;
- struct xt_counters counters;
- int invert;
- int c;
- char **argv;
- int proto_used;
- char *protocol;
- unsigned int options;
-};
-
struct nftnl_rule;
-void nft_rule_to_ebtables_command_state(struct nftnl_rule *r,
- struct ebtables_command_state *cs);
static const char *ebt_standard_targets[NUM_STANDARD_TARGETS] = {
"ACCEPT",
@@ -167,11 +117,11 @@ static inline const char *ebt_target_name(unsigned int verdict)
*flags |= mask; \
}) \
-void ebt_cs_clean(struct ebtables_command_state *cs);
+void ebt_cs_clean(struct iptables_command_state *cs);
void ebt_load_match_extensions(void);
void ebt_add_match(struct xtables_match *m,
- struct ebtables_command_state *cs);
+ struct iptables_command_state *cs);
void ebt_add_watcher(struct xtables_target *watcher,
- struct ebtables_command_state *cs);
+ struct iptables_command_state *cs);
#endif
@@ -294,11 +294,10 @@ static void *nft_get_data(struct nft_xt_ctx *ctx)
switch(ctx->family) {
case NFPROTO_IPV4:
case NFPROTO_IPV6:
+ case NFPROTO_BRIDGE:
return ctx->state.cs;
case NFPROTO_ARP:
return ctx->state.cs_arp;
- case NFPROTO_BRIDGE:
- return ctx->state.cs_eb;
default:
/* Should not happen */
return NULL;
@@ -351,10 +350,8 @@ void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
switch (ctx->family) {
case NFPROTO_IPV4:
case NFPROTO_IPV6:
- matches = &ctx->state.cs->matches;
- break;
case NFPROTO_BRIDGE:
- matches = &ctx->state.cs_eb->matches;
+ matches = &ctx->state.cs->matches;
break;
default:
fprintf(stderr, "BUG: nft_parse_match() unknown family %d\n",
@@ -49,7 +49,6 @@ struct nft_xt_ctx {
union {
struct iptables_command_state *cs;
struct arptables_command_state *cs_arp;
- struct ebtables_command_state *cs_eb;
} state;
struct nftnl_expr_iter *iter;
int family;
@@ -48,8 +48,42 @@ struct xtables_afinfo {
int so_rev_target;
};
+/* trick for ebtables-compat, since watchers are targets */
+struct ebt_match {
+ struct ebt_match *next;
+ union {
+ struct xtables_match *match;
+ struct xtables_target *watcher;
+ } u;
+ bool ismatch;
+};
+
+/* Fake ebt_entry */
+struct ebt_entry {
+ /* this needs to be the first field */
+ unsigned int bitmask;
+ unsigned int invflags;
+ uint16_t ethproto;
+ /* the physical in-dev */
+ char in[IFNAMSIZ];
+ /* the logical in-dev */
+ char logical_in[IFNAMSIZ];
+ /* the physical out-dev */
+ char out[IFNAMSIZ];
+ /* the logical out-dev */
+ char logical_out[IFNAMSIZ];
+ unsigned char sourcemac[6];
+ unsigned char sourcemsk[6];
+ unsigned char destmac[6];
+ unsigned char destmsk[6];
+
+ unsigned char in_mask[IFNAMSIZ];
+ unsigned char out_mask[IFNAMSIZ];
+};
+
struct iptables_command_state {
union {
+ struct ebt_entry eb;
struct ipt_entry fw;
struct ip6t_entry fw6;
};
@@ -57,6 +91,7 @@ struct iptables_command_state {
int c;
unsigned int options;
struct xtables_rule_match *matches;
+ struct ebt_match *match_list;
struct xtables_target *target;
struct xt_counters counters;
char *protocol;
@@ -165,7 +165,7 @@ static struct option *merge_options(struct option *oldopts,
/*
* More glue code.
*/
-static struct xtables_target *command_jump(struct ebtables_command_state *cs,
+static struct xtables_target *command_jump(struct iptables_command_state *cs,
const char *jumpto)
{
struct xtables_target *target;
@@ -234,7 +234,7 @@ static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end)
/* Incrementing or decrementing rules in daemon mode is not supported as the
* involved code overload is not worth it (too annoying to take the increased
* counters in the kernel into account). */
-static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct ebtables_command_state *cs)
+static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct iptables_command_state *cs)
{
char *buffer;
int ret = 0;
@@ -321,7 +321,7 @@ static void print_ebt_cmd(int argc, char *argv[])
}
static int nft_rule_eb_xlate_add(struct nft_handle *h, const struct nft_xt_cmd_parse *p,
- const struct ebtables_command_state *cs, bool append)
+ const struct iptables_command_state *cs, bool append)
{
struct xt_xlate *xl = xt_xlate_alloc(10240);
int ret;
@@ -352,7 +352,7 @@ static int do_commandeb_xlate(struct nft_handle *h, int argc, char *argv[], char
unsigned int flags = 0;
struct xtables_target *t, *w;
struct xtables_match *m;
- struct ebtables_command_state cs;
+ struct iptables_command_state cs;
char command = 'h';
const char *chain = NULL;
int exec_style = EXEC_STYLE_PRG;
@@ -537,14 +537,14 @@ print_zero:
xtables_error(PARAMETER_PROBLEM,
"Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IIN;
+ cs.eb.invflags |= EBT_IIN;
if (strlen(optarg) >= IFNAMSIZ)
big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Interface name length cannot exceed %d characters",
IFNAMSIZ - 1);
- xtables_parse_interface(optarg, cs.fw.in, cs.fw.in_mask);
+ xtables_parse_interface(optarg, cs.eb.in, cs.eb.in_mask);
break;
} else if (c == 2) {
ebt_check_option2(&flags, OPT_LOGICALIN);
@@ -552,12 +552,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ILOGICALIN;
+ cs.eb.invflags |= EBT_ILOGICALIN;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- strcpy(cs.fw.logical_in, optarg);
- if (parse_iface(cs.fw.logical_in, "--logical-in"))
+ strcpy(cs.eb.logical_in, optarg);
+ if (parse_iface(cs.eb.logical_in, "--logical-in"))
return -1;
break;
} else if (c == 'o') {
@@ -566,12 +566,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use -o only in OUTPUT, FORWARD and POSTROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IOUT;
+ cs.eb.invflags |= EBT_IOUT;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- xtables_parse_interface(optarg, cs.fw.out, cs.fw.out_mask);
+ xtables_parse_interface(optarg, cs.eb.out, cs.eb.out_mask);
break;
} else if (c == 3) {
ebt_check_option2(&flags, OPT_LOGICALOUT);
@@ -579,12 +579,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ILOGICALOUT;
+ cs.eb.invflags |= EBT_ILOGICALOUT;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- strcpy(cs.fw.logical_out, optarg);
- if (parse_iface(cs.fw.logical_out, "--logical-out"))
+ strcpy(cs.eb.logical_out, optarg);
+ if (parse_iface(cs.eb.logical_out, "--logical-out"))
return -1;
break;
} else if (c == 'j') {
@@ -595,20 +595,20 @@ big_iface_length:
} else if (c == 's') {
ebt_check_option2(&flags, OPT_SOURCE);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ISOURCE;
+ cs.eb.invflags |= EBT_ISOURCE;
- if (ebt_get_mac_and_mask(optarg, cs.fw.sourcemac, cs.fw.sourcemsk))
+ if (ebt_get_mac_and_mask(optarg, cs.eb.sourcemac, cs.eb.sourcemsk))
xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg);
- cs.fw.bitmask |= EBT_SOURCEMAC;
+ cs.eb.bitmask |= EBT_SOURCEMAC;
break;
} else if (c == 'd') {
ebt_check_option2(&flags, OPT_DEST);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IDEST;
+ cs.eb.invflags |= EBT_IDEST;
- if (ebt_get_mac_and_mask(optarg, cs.fw.destmac, cs.fw.destmsk))
+ if (ebt_get_mac_and_mask(optarg, cs.eb.destmac, cs.eb.destmsk))
xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg);
- cs.fw.bitmask |= EBT_DESTMAC;
+ cs.eb.bitmask |= EBT_DESTMAC;
break;
} else if (c == 'c') {
ebt_check_option2(&flags, OPT_COUNT);
@@ -634,9 +634,9 @@ big_iface_length:
}
ebt_check_option2(&flags, OPT_PROTOCOL);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IPROTO;
+ cs.eb.invflags |= EBT_IPROTO;
- cs.fw.bitmask &= ~((unsigned int)EBT_NOPROTO);
+ cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO);
i = strtol(optarg, &buffer, 16);
if (*buffer == '\0' && (i < 0 || i > 0xFFFF))
xtables_error(PARAMETER_PROBLEM,
@@ -645,18 +645,18 @@ big_iface_length:
struct ethertypeent *ent;
if (!strcasecmp(optarg, "LENGTH")) {
- cs.fw.bitmask |= EBT_802_3;
+ cs.eb.bitmask |= EBT_802_3;
break;
}
ent = getethertypebyname(optarg);
if (!ent)
xtables_error(PARAMETER_PROBLEM,
"Problem with the specified Ethernet protocol '%s', perhaps "_PATH_ETHERTYPES " is missing", optarg);
- cs.fw.ethproto = ent->e_ethertype;
+ cs.eb.ethproto = ent->e_ethertype;
} else
- cs.fw.ethproto = i;
+ cs.eb.ethproto = i;
- if (cs.fw.ethproto < 0x0600)
+ if (cs.eb.ethproto < 0x0600)
xtables_error(PARAMETER_PROBLEM,
"Sorry, protocols have values above or equal to 0x0600");
break;
@@ -757,7 +757,7 @@ check_extension:
xtables_option_tfcall(cs.target);
}
- cs.fw.ethproto = htons(cs.fw.ethproto);
+ cs.eb.ethproto = htons(cs.eb.ethproto);
if (command == 'P') {
return 0;
@@ -168,7 +168,7 @@ static int
append_entry(struct nft_handle *h,
const char *chain,
const char *table,
- struct ebtables_command_state *cs,
+ struct iptables_command_state *cs,
int rule_nr,
bool verbose, bool append)
{
@@ -186,7 +186,7 @@ static int
delete_entry(struct nft_handle *h,
const char *chain,
const char *table,
- struct ebtables_command_state *cs,
+ struct iptables_command_state *cs,
int rule_nr,
int rule_nr_end,
bool verbose)
@@ -380,7 +380,7 @@ static struct option *merge_options(struct option *oldopts,
/*
* More glue code.
*/
-static struct xtables_target *command_jump(struct ebtables_command_state *cs,
+static struct xtables_target *command_jump(struct iptables_command_state *cs,
const char *jumpto)
{
struct xtables_target *target;
@@ -524,7 +524,7 @@ static int parse_rule_range(const char *argv, int *rule_nr, int *rule_nr_end)
/* Incrementing or decrementing rules in daemon mode is not supported as the
* involved code overload is not worth it (too annoying to take the increased
* counters in the kernel into account). */
-static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct ebtables_command_state *cs)
+static int parse_change_counters_rule(int argc, char **argv, int *rule_nr, int *rule_nr_end, int exec_style, struct iptables_command_state *cs)
{
char *buffer;
int ret = 0;
@@ -679,7 +679,7 @@ void ebt_load_match_extensions(void)
}
void ebt_add_match(struct xtables_match *m,
- struct ebtables_command_state *cs)
+ struct iptables_command_state *cs)
{
struct xtables_rule_match *i, **rule_matches = &cs->matches;
struct xtables_match *newm;
@@ -715,7 +715,7 @@ void ebt_add_match(struct xtables_match *m,
}
void ebt_add_watcher(struct xtables_target *watcher,
- struct ebtables_command_state *cs)
+ struct iptables_command_state *cs)
{
struct ebt_match *i, *newnode;
@@ -753,7 +753,7 @@ int do_commandeb(struct nft_handle *h, int argc, char *argv[], char **table)
unsigned int flags = 0;
struct xtables_target *t, *w;
struct xtables_match *m;
- struct ebtables_command_state cs;
+ struct iptables_command_state cs;
char command = 'h';
const char *chain = NULL;
const char *policy = NULL;
@@ -1006,14 +1006,14 @@ print_zero:
xtables_error(PARAMETER_PROBLEM,
"Use -i only in INPUT, FORWARD, PREROUTING and BROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IIN;
+ cs.eb.invflags |= EBT_IIN;
if (strlen(optarg) >= IFNAMSIZ)
big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Interface name length cannot exceed %d characters",
IFNAMSIZ - 1);
- xtables_parse_interface(optarg, cs.fw.in, cs.fw.in_mask);
+ xtables_parse_interface(optarg, cs.eb.in, cs.eb.in_mask);
break;
} else if (c == 2) {
ebt_check_option2(&flags, OPT_LOGICALIN);
@@ -1021,12 +1021,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use --logical-in only in INPUT, FORWARD, PREROUTING and BROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ILOGICALIN;
+ cs.eb.invflags |= EBT_ILOGICALIN;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- strcpy(cs.fw.logical_in, optarg);
- if (parse_iface(cs.fw.logical_in, "--logical-in"))
+ strcpy(cs.eb.logical_in, optarg);
+ if (parse_iface(cs.eb.logical_in, "--logical-in"))
return -1;
break;
} else if (c == 'o') {
@@ -1035,12 +1035,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use -o only in OUTPUT, FORWARD and POSTROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IOUT;
+ cs.eb.invflags |= EBT_IOUT;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- xtables_parse_interface(optarg, cs.fw.out, cs.fw.out_mask);
+ xtables_parse_interface(optarg, cs.eb.out, cs.eb.out_mask);
break;
} else if (c == 3) {
ebt_check_option2(&flags, OPT_LOGICALOUT);
@@ -1048,12 +1048,12 @@ big_iface_length:
xtables_error(PARAMETER_PROBLEM,
"Use --logical-out only in OUTPUT, FORWARD and POSTROUTING chains");
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ILOGICALOUT;
+ cs.eb.invflags |= EBT_ILOGICALOUT;
if (strlen(optarg) >= IFNAMSIZ)
goto big_iface_length;
- strcpy(cs.fw.logical_out, optarg);
- if (parse_iface(cs.fw.logical_out, "--logical-out"))
+ strcpy(cs.eb.logical_out, optarg);
+ if (parse_iface(cs.eb.logical_out, "--logical-out"))
return -1;
break;
} else if (c == 'j') {
@@ -1064,20 +1064,20 @@ big_iface_length:
} else if (c == 's') {
ebt_check_option2(&flags, OPT_SOURCE);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_ISOURCE;
+ cs.eb.invflags |= EBT_ISOURCE;
- if (ebt_get_mac_and_mask(optarg, cs.fw.sourcemac, cs.fw.sourcemsk))
+ if (ebt_get_mac_and_mask(optarg, cs.eb.sourcemac, cs.eb.sourcemsk))
xtables_error(PARAMETER_PROBLEM, "Problem with specified source mac '%s'", optarg);
- cs.fw.bitmask |= EBT_SOURCEMAC;
+ cs.eb.bitmask |= EBT_SOURCEMAC;
break;
} else if (c == 'd') {
ebt_check_option2(&flags, OPT_DEST);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IDEST;
+ cs.eb.invflags |= EBT_IDEST;
- if (ebt_get_mac_and_mask(optarg, cs.fw.destmac, cs.fw.destmsk))
+ if (ebt_get_mac_and_mask(optarg, cs.eb.destmac, cs.eb.destmsk))
xtables_error(PARAMETER_PROBLEM, "Problem with specified destination mac '%s'", optarg);
- cs.fw.bitmask |= EBT_DESTMAC;
+ cs.eb.bitmask |= EBT_DESTMAC;
break;
} else if (c == 'c') {
ebt_check_option2(&flags, OPT_COUNT);
@@ -1103,9 +1103,9 @@ big_iface_length:
}
ebt_check_option2(&flags, OPT_PROTOCOL);
if (ebt_check_inverse2(optarg, argc, argv))
- cs.fw.invflags |= EBT_IPROTO;
+ cs.eb.invflags |= EBT_IPROTO;
- cs.fw.bitmask &= ~((unsigned int)EBT_NOPROTO);
+ cs.eb.bitmask &= ~((unsigned int)EBT_NOPROTO);
i = strtol(optarg, &buffer, 16);
if (*buffer == '\0' && (i < 0 || i > 0xFFFF))
xtables_error(PARAMETER_PROBLEM,
@@ -1114,18 +1114,18 @@ big_iface_length:
struct ethertypeent *ent;
if (!strcasecmp(optarg, "LENGTH")) {
- cs.fw.bitmask |= EBT_802_3;
+ cs.eb.bitmask |= EBT_802_3;
break;
}
ent = getethertypebyname(optarg);
if (!ent)
xtables_error(PARAMETER_PROBLEM,
"Problem with the specified Ethernet protocol '%s', perhaps "_PATH_ETHERTYPES " is missing", optarg);
- cs.fw.ethproto = ent->e_ethertype;
+ cs.eb.ethproto = ent->e_ethertype;
} else
- cs.fw.ethproto = i;
+ cs.eb.ethproto = i;
- if (cs.fw.ethproto < 0x0600)
+ if (cs.eb.ethproto < 0x0600)
xtables_error(PARAMETER_PROBLEM,
"Sorry, protocols have values above or equal to 0x0600");
break;
@@ -1331,7 +1331,7 @@ check_extension:
}
/* So, the extensions can work with the host endian.
* The kernel does not have to do this of course */
- cs.fw.ethproto = htons(cs.fw.ethproto);
+ cs.eb.ethproto = htons(cs.eb.ethproto);
if (command == 'P') {
if (selected_chain < 0) {
Use iptables_command_state instead. This allows to re-use code from the ip(6)tables layer and reduces cop&pasted code. Signed-off-by: Florian Westphal <fw@strlen.de> --- iptables/nft-bridge.c | 190 ++++++++++++++++------------------------ iptables/nft-bridge.h | 56 +----------- iptables/nft-shared.c | 7 +- iptables/nft-shared.h | 1 - iptables/xshared.h | 35 ++++++++ iptables/xtables-eb-translate.c | 54 ++++++------ iptables/xtables-eb.c | 60 ++++++------- 7 files changed, 172 insertions(+), 231 deletions(-)