[iptables-compat PATCH 1/3] ebtables-compat: fix print_header

[iptables-compat PATCH 1/3] ebtables-compat: fix print_header

[Giuseppe Longo]

This prints the header like ebtables.

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 iptables/nft-bridge.c | 3 +--
 iptables/nft.c        | 7 +++++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index ab97881..1fe10ed 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -362,8 +362,7 @@ static void nft_bridge_print_header(unsigned int format, const char *chain,
 				    const struct xt_counters *counters,
 				    bool basechain, uint32_t refs)
 {
-	/* FIXME: Giuseppe replace this with ebtables format */
-	print_header(format, chain, pol, counters, basechain, refs);
+	printf("Bridge chain: %s, entries: %u, policy: %s\n", chain, refs, pol);
 }
 
 static void nft_bridge_print_firewall(struct nft_rule *r, unsigned int num,
diff --git a/iptables/nft.c b/iptables/nft.c
index bab2834..0cdf027 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2006,6 +2006,9 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 	if (iter == NULL)
 		goto err;
 
+	if (h->family == NFPROTO_BRIDGE)
+		printf("Bridge table: %s\n\n", table);
+
 	c = nft_chain_list_iter_next(iter);
 	while (c != NULL) {
 		const char *chain_table =
@@ -2033,8 +2036,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
 		if (found)
 			printf("\n");
 
-		ops->print_header(format, chain_name, policy_name[policy],
-				  &ctrs, basechain, refs);
+		ops->print_header(format, chain_name,
+				  policy_name[policy], &ctrs, basechain, refs);
 
 		__nft_rule_list(h, chain_name, table,
 				rulenum, format, ops->print_firewall);
-- 
1.9.1

[iptables-compat PATCH 2/3] nft: fix syntax error

[Giuseppe Longo]

This fixes a syntax error, remove ; in an if statement

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 iptables/nft-shared.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 2b87092..d6f838c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -444,7 +444,7 @@ void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nft_rule_expr *e)
 	if (ctx->flags & NFT_XT_CTX_META)
 		ops->parse_meta(ctx, e, data);
 	/* bitwise context is interpreted from payload */
-	if (ctx->flags & NFT_XT_CTX_PAYLOAD);
+	if (ctx->flags & NFT_XT_CTX_PAYLOAD)
 		ops->parse_payload(ctx, e, data);
 }
 
-- 
1.9.1

[iptables-compat PATCH 3/3] nft-ipv46: replace offset var with ctx->payload.offset

[Giuseppe Longo]

The offset variable (undefined) is passed to DEBUGP function,
so you get a compilation error if you try to build iptables
with debug enabled

Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
---
 iptables/nft-ipv4.c | 2 +-
 iptables/nft-ipv6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index eedcb50..a2c5806 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -205,7 +205,7 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
 			cs->fw.ip.invflags |= IPT_INV_FRAG;
 		break;
 	default:
-		DEBUGP("unknown payload offset %d\n", offset);
+		DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
 		break;
 	}
 }
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 2e50627..5489398 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -142,7 +142,7 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
 		if (inv)
 			cs->fw6.ipv6.invflags |= IPT_INV_PROTO;
 	default:
-		DEBUGP("unknown payload offset %d\n", offset);
+		DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
 		break;
 	}
 }
-- 
1.9.1

Re: [iptables-compat PATCH 1/3] ebtables-compat: fix print_header

[Pablo Neira Ayuso]

On Thu, Oct 16, 2014 at 04:29:51PM +0200, Giuseppe Longo wrote:
> This prints the header like ebtables.

Applied to the ebtables-compat branch. Thanks.

Re: [iptables-compat PATCH 2/3] nft: fix syntax error

[Pablo Neira Ayuso]

On Thu, Oct 16, 2014 at 04:29:52PM +0200, Giuseppe Longo wrote:
> This fixes a syntax error, remove ; in an if statement

Applied to master, thanks.

Re: [iptables-compat PATCH 3/3] nft-ipv46: replace offset var with ctx->payload.offset

[Pablo Neira Ayuso]

On Thu, Oct 16, 2014 at 04:29:53PM +0200, Giuseppe Longo wrote:
> The offset variable (undefined) is passed to DEBUGP function,
> so you get a compilation error if you try to build iptables
> with debug enabled

Applied to master, thanks.

I have rebased the ebtables-compat branch again upon these fixes.

Re: [iptables-compat PATCH 1/3] ebtables-compat: fix print_header

[Pablo Neira Ayuso]

On Mon, Oct 20, 2014 at 11:01:42AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 16, 2014 at 04:29:51PM +0200, Giuseppe Longo wrote:
> > This prints the header like ebtables.
> 
> Applied to the ebtables-compat branch. Thanks.

I forgot to say that I made a quick change, so the iptables/nft.c code
remains family agnostic.

See the new .print_table_header callback:

http://git.netfilter.org/iptables/commit/?h=ebtables-compat-experimental3&id=457c2065827cc05a4c30e27fd57da998550dd078