@@ -261,6 +261,9 @@ struct xtables_match
void (*x6_fcheck)(struct xt_fcheck_call *);
const struct xt_option_entry *x6_options;
+ /* NFT related */
+ struct nft_rule_expr_list *(*translate_to_nft)(struct xt_entry_match *);
+
/* Size of per-extension instance extra "global" scratch space */
size_t udata_size;
@@ -562,16 +562,23 @@ static void __add_match(struct nft_rule_expr *e, struct xt_entry_match *m)
nft_rule_expr_set(e, NFT_EXPR_MT_INFO, info, m->u.match_size - sizeof(*m));
}
-static void add_match(struct nft_rule *r, struct xt_entry_match *m)
+static void add_match(struct nft_rule *r, struct xtables_match *match)
{
struct nft_rule_expr *expr;
+ struct nft_rule_expr_list *expr_list;
- expr = nft_rule_expr_alloc("match");
- if (expr == NULL)
- return;
+ if (match->translate_to_nft == NULL) {
+ expr = nft_rule_expr_alloc("match");
+ if (expr == NULL)
+ return;
- __add_match(expr, m);
- nft_rule_add_expr(r, expr);
+ __add_match(expr, match->m);
+ nft_rule_add_expr(r, expr);
+ } else {
+ expr_list = match->translate_to_nft(match->m);
+ if (expr_list != NULL)
+ nft_rule_add_expr_list(r, expr_list);
+ }
}
static void __add_target(struct nft_rule_expr *e, struct xt_entry_target *t)
@@ -702,7 +709,7 @@ nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
ip_flags = h->ops->add(r, cs);
for (matchp = cs->matches; matchp; matchp = matchp->next)
- add_match(r, matchp->match->m);
+ add_match(r, matchp->match);
/* Counters need to me added before the target, otherwise they are
* increased for each rule because of the way nf_tables works.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> --- include/xtables.h.in | 3 +++ iptables/nft.c | 21 ++++++++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-)