On Mon, Feb 10, 2014 at 04:49:33PM +0100, Giuseppe Longo wrote:
> This patch permits to save matches and target for ip/ip6/eb family,
> required for xtables-events.
> 
> Also, generalizes nft_rule_print_save to be reused for all protocol families.
> 
> Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
> ---
>  iptables/nft-ipv4.c   |  7 +++++--
>  iptables/nft-ipv6.c   |  7 +++++--
>  iptables/nft-shared.c | 35 +++++++++++++++++++++++++++++++++++
>  iptables/nft-shared.h |  6 +++++-
>  iptables/nft.c        | 33 +++------------------------------
>  iptables/nft.h        |  2 +-
>  6 files changed, 54 insertions(+), 36 deletions(-)
> 
> diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
> index 1afe8b6..e18a649 100644
> --- a/iptables/nft-ipv4.c
> +++ b/iptables/nft-ipv4.c
> @@ -309,9 +309,11 @@ static void save_ipv4_addr(char letter, const struct in_addr *addr,
>  	       mask_to_str(mask));
>  }
>  
> -static uint8_t nft_ipv4_save_firewall(const struct iptables_command_state *cs,
> +static void nft_ipv4_save_firewall(const void *data,
>  				      unsigned int format)

This fits in 80-chars line, no need to break it. I have fixed this
here.

>  {
> +	const struct iptables_command_state *cs = data;
> +
>  	save_firewall_details(cs, cs->fw.ip.invflags, cs->fw.ip.proto,
>  			      cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
>  			      cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
> @@ -328,7 +330,8 @@ static uint8_t nft_ipv4_save_firewall(const struct iptables_command_state *cs,
>  	save_ipv4_addr('d', &cs->fw.ip.dst, cs->fw.ip.dmsk.s_addr,
>  		       cs->fw.ip.invflags & IPT_INV_DSTIP);
>  
> -	return cs->fw.ip.flags;
> +	save_matches_and_target(cs->matches, cs->target, cs->jumpto,
> +				cs->fw.ip.flags, &cs);

You're passing &cs here... (continues below)

>  }
>  
>  static void nft_ipv4_proto_parse(struct iptables_command_state *cs,
> diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
> index f30cec6..4beb411 100644
> --- a/iptables/nft-ipv6.c
> +++ b/iptables/nft-ipv6.c
> @@ -218,9 +218,11 @@ static void save_ipv6_addr(char letter, const struct in6_addr *addr,
>  	printf("%s-%c %s ", invert ? "! " : "", letter, addr_str);
>  }
>  
> -static uint8_t nft_ipv6_save_firewall(const struct iptables_command_state *cs,
> +static void nft_ipv6_save_firewall(const void *data,
>  				      unsigned int format)
>  {
> +	const struct iptables_command_state *cs = data;
> +
>  	save_firewall_details(cs, cs->fw6.ipv6.invflags, cs->fw6.ipv6.proto,
>  			      cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
>  			      cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
> @@ -231,7 +233,8 @@ static uint8_t nft_ipv6_save_firewall(const struct iptables_command_state *cs,
>  	save_ipv6_addr('d', &cs->fw6.ipv6.dst,
>  		       cs->fw6.ipv6.invflags & IPT_INV_DSTIP);
>  
> -	return cs->fw6.ipv6.flags;
> +	save_matches_and_target(cs->matches, cs->target, cs->jumpto,
> +				cs->fw6.ipv6.flags, &cs);
>  }
>  
>  /* These are invalid numbers as upper layer protocol */
> diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
> index 233011c..29bfab7 100644
> --- a/iptables/nft-shared.c
> +++ b/iptables/nft-shared.c
> @@ -621,6 +621,41 @@ void save_firewall_details(const struct iptables_command_state *cs,
>  	}
>  }
>  
> +void save_matches_and_target(struct xtables_rule_match *m,
> +			     struct xtables_target *target,
> +			     const char *jumpto,
> +			     uint8_t flags, void *fw)

But save_matches_and_target takes a void *fw. Beware with pointer
handling, I guess you did that to resolve a compilation warning but
that was not the way to make.

I have fixed this as well.

> +{
> +	struct xtables_rule_match *matchp;
> +
> +	for (matchp = m; matchp; matchp = matchp->next) {
> +		if (matchp->match->alias) {
> +			printf("-m %s",
> +			       matchp->match->alias(matchp->match->m));
> +		} else
> +			printf("-m %s", matchp->match->name);
> +
> +		if (matchp->match->save != NULL) {
> +			/* cs->fw union makes the trick */
> +			matchp->match->save(&fw, matchp->match->m);
> +		}
> +		printf(" ");
> +	}
> +
> +	if (target != NULL) {
> +		if (target->alias) {
> +			printf("-j %s", target->alias(target->t));
> +		} else
> +			printf("-j %s", jumpto);
> +
> +		if (target->save != NULL)
> +			target->save(fw, target->t);
> +	} else if (strlen(jumpto) > 0)
> +		printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto);

Not related to your patch. We've been doing wrong flags handling, I'll
also push the patch attached.

> +
> +	printf("\n");
> +}
> +
>  void print_matches_and_target(struct iptables_command_state *cs,
>  			      unsigned int format)
>  {
> diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
> index 9df17bc..676cdca 100644
> --- a/iptables/nft-shared.h
> +++ b/iptables/nft-shared.h
> @@ -49,7 +49,7 @@ struct nft_family_ops {
>  	void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
>  	void (*print_firewall)(struct nft_rule *r, unsigned int num,
>  			       unsigned int format);
> -	uint8_t (*save_firewall)(const struct iptables_command_state *cs,
> +	void (*save_firewall)(const void *data,
>  				 unsigned int format);

Please, next time also make sure coding you adjust the line above, so
we don't need to adjust it later on with coding style cleanup patches.

As said, I have fixes these things and pushed this patch to master.
Please, put a bit more care next time, thanks.