xtables: nft: add protocol and flags for xtables over nf_tables
Add protocol and flags for the compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5385bf3..5f40dc0 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -97,10 +97,24 @@
NFTA_RULE_HANDLE,
NFTA_RULE_EXPRESSIONS,
NFTA_RULE_FLAGS,
+ NFTA_RULE_COMPAT,
__NFTA_RULE_MAX
};
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
+enum nft_rule_compat_flags {
+ NFT_RULE_COMPAT_F_INV = (1 << 1),
+ NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV,
+};
+
+enum nft_rule_compat_attributes {
+ NFTA_RULE_COMPAT_UNSPEC,
+ NFTA_RULE_COMPAT_PROTO,
+ NFTA_RULE_COMPAT_FLAGS,
+ __NFTA_RULE_COMPAT_MAX
+};
+#define NFTA_RULE_COMPAT_MAX (__NFTA_RULE_COMPAT_MAX - 1)
+
/**
* enum nft_set_flags - nf_tables set flags
*
diff --git a/iptables/nft.c b/iptables/nft.c
index f42e437..c3d5d61 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -800,6 +800,13 @@
add_cmp_ptr(r, op, data, len);
}
+static void add_compat(struct nft_rule *r, uint32_t proto, bool inv)
+{
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_PROTO, proto);
+ nft_rule_attr_set_u32(r, NFT_RULE_ATTR_COMPAT_FLAGS,
+ inv ? NFT_RULE_COMPAT_F_INV : 0);
+}
+
static void add_proto(struct nft_rule *r, int offset, size_t len,
uint32_t proto, int invflags)
{
@@ -813,6 +820,7 @@
op = NFT_CMP_EQ;
add_cmp_u32(r, proto, op);
+ add_compat(r, proto, invflags & XT_INV_PROTO);
}
int