[iptables PATCH 0/3] Review interface parsing and printing

[iptables PATCH 0/3] Review interface parsing and printing

[Phil Sutter]

Take advantage of the fact that interface name masks are needed only
when submitting a legacy rule to the kernel. Drop all the code dealing
with them and instead introduce a function to call from legacy variants
if needed.

Phil Sutter (3):
  xshared: Entirely ignore interface masks when saving rules
  xshared: Do not populate interface masks per default
  nft: Leave interface masks alone when parsing from kernel

 iptables/ip6tables.c            |  6 ++-
 iptables/iptables.c             |  6 ++-
 iptables/nft-ipv4.c             |  3 +-
 iptables/nft-ipv6.c             |  3 +-
 iptables/nft-ruleparse-arp.c    |  5 +-
 iptables/nft-ruleparse-bridge.c |  3 +-
 iptables/nft-ruleparse-ipv4.c   |  5 +-
 iptables/nft-ruleparse-ipv6.c   |  3 +-
 iptables/nft-ruleparse.c        | 33 ++++---------
 iptables/nft-ruleparse.h        |  3 +-
 iptables/xshared.c              | 83 ++++++++++++++++++---------------
 iptables/xshared.h              |  8 ++--
 12 files changed, 76 insertions(+), 85 deletions(-)

-- 
2.41.0

[iptables PATCH 1/3] xshared: Entirely ignore interface masks when saving rules

[Phil Sutter]

Rule printing code does this for more than 20 years now, assume it's
safe to rely upon the wildcard interface name to contain a '+' suffix.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c |  3 +--
 iptables/iptables.c  |  3 +--
 iptables/nft-ipv4.c  |  3 +--
 iptables/nft-ipv6.c  |  3 +--
 iptables/xshared.c   | 32 ++++++--------------------------
 iptables/xshared.h   |  6 ++----
 6 files changed, 12 insertions(+), 38 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 08da04b456787..21cd801892641 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -509,8 +509,7 @@ void print_rule6(const struct ip6t_entry *e,
 	save_ipv6_addr('d', &e->ipv6.dst, &e->ipv6.dmsk,
 		       e->ipv6.invflags & IP6T_INV_DSTIP);
 
-	save_rule_details(e->ipv6.iniface, e->ipv6.iniface_mask,
-			  e->ipv6.outiface, e->ipv6.outiface_mask,
+	save_rule_details(e->ipv6.iniface, e->ipv6.outiface,
 			  e->ipv6.proto, 0, e->ipv6.invflags);
 
 #if 0
diff --git a/iptables/iptables.c b/iptables/iptables.c
index a73e8eed9028a..ce65c30ad0b15 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -516,8 +516,7 @@ void print_rule4(const struct ipt_entry *e,
 	save_ipv4_addr('d', &e->ip.dst, &e->ip.dmsk,
 			e->ip.invflags & IPT_INV_DSTIP);
 
-	save_rule_details(e->ip.iniface, e->ip.iniface_mask,
-			  e->ip.outiface, e->ip.outiface_mask,
+	save_rule_details(e->ip.iniface, e->ip.outiface,
 			  e->ip.proto, e->ip.flags & IPT_F_FRAG,
 			  e->ip.invflags);
 
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 7fb71ed4a8056..c140ffde34b62 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -161,8 +161,7 @@ static void nft_ipv4_save_rule(const struct iptables_command_state *cs,
 	save_ipv4_addr('d', &cs->fw.ip.dst, &cs->fw.ip.dmsk,
 		       cs->fw.ip.invflags & IPT_INV_DSTIP);
 
-	save_rule_details(cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
-			  cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
+	save_rule_details(cs->fw.ip.iniface, cs->fw.ip.outiface,
 			  cs->fw.ip.proto, cs->fw.ip.flags & IPT_F_FRAG,
 			  cs->fw.ip.invflags);
 
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index bb417356629a9..4bf4f54f18a00 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -147,8 +147,7 @@ static void nft_ipv6_save_rule(const struct iptables_command_state *cs,
 	save_ipv6_addr('d', &cs->fw6.ipv6.dst, &cs->fw6.ipv6.dmsk,
 		       cs->fw6.ipv6.invflags & IP6T_INV_DSTIP);
 
-	save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.iniface_mask,
-			  cs->fw6.ipv6.outiface, cs->fw6.ipv6.outiface_mask,
+	save_rule_details(cs->fw6.ipv6.iniface, cs->fw6.ipv6.outiface,
 			  cs->fw6.ipv6.proto, 0, cs->fw6.ipv6.invflags);
 
 	save_matches_and_target(cs, cs->fw6.ipv6.flags & IP6T_F_GOTO,
diff --git a/iptables/xshared.c b/iptables/xshared.c
index ca17479811df3..839a5bb68776c 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -757,29 +757,12 @@ void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 	printf(FMT("%-6s ", "out %s "), iface);
 }
 
-/* This assumes that mask is contiguous, and byte-bounded. */
-void save_iface(char letter, const char *iface,
-		const unsigned char *mask, int invert)
+void save_iface(char letter, const char *iface, int invert)
 {
-	unsigned int i;
-
-	if (mask[0] == 0)
+	if (!strlen(iface) || !strcmp(iface, "+"))
 		return;
 
-	printf("%s -%c ", invert ? " !" : "", letter);
-
-	for (i = 0; i < IFNAMSIZ; i++) {
-		if (mask[i] != 0) {
-			if (iface[i] != '\0')
-				printf("%c", iface[i]);
-		} else {
-			/* we can access iface[i-1] here, because
-			 * a few lines above we make sure that mask[0] != 0 */
-			if (iface[i-1] != '\0')
-				printf("+");
-			break;
-		}
-	}
+	printf("%s -%c %s", invert ? " !" : "", letter, iface);
 }
 
 static void command_match(struct iptables_command_state *cs, bool invert)
@@ -1066,17 +1049,14 @@ void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
 		printf(FMT("%-4s ", "%s "), pname);
 }
 
-void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
-		       const char *outiface, unsigned const char *outiface_mask,
+void save_rule_details(const char *iniface, const char *outiface,
 		       uint16_t proto, int frag, uint8_t invflags)
 {
 	if (iniface != NULL) {
-		save_iface('i', iniface, iniface_mask,
-			    invflags & IPT_INV_VIA_IN);
+		save_iface('i', iniface, invflags & IPT_INV_VIA_IN);
 	}
 	if (outiface != NULL) {
-		save_iface('o', outiface, outiface_mask,
-			    invflags & IPT_INV_VIA_OUT);
+		save_iface('o', outiface, invflags & IPT_INV_VIA_OUT);
 	}
 
 	if (proto > 0) {
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 28efd73cf470a..952fa8ab95fec 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -212,8 +212,7 @@ void save_ipv6_addr(char letter, const struct in6_addr *addr,
 
 void print_ifaces(const char *iniface, const char *outiface, uint8_t invflags,
 		  unsigned int format);
-void save_iface(char letter, const char *iface,
-		const unsigned char *mask, int invert);
+void save_iface(char letter, const char *iface, int invert);
 
 void print_fragment(unsigned int flags, unsigned int invflags,
 		    unsigned int format, bool fake);
@@ -225,8 +224,7 @@ void assert_valid_chain_name(const char *chainname);
 void print_rule_details(unsigned int linenum, const struct xt_counters *ctrs,
 			const char *targname, uint8_t proto, uint8_t flags,
 			uint8_t invflags, unsigned int format);
-void save_rule_details(const char *iniface, unsigned const char *iniface_mask,
-		       const char *outiface, unsigned const char *outiface_mask,
+void save_rule_details(const char *iniface, const char *outiface,
 		       uint16_t proto, int frag, uint8_t invflags);
 
 int print_match_save(const struct xt_entry_match *e, const void *ip);
-- 
2.41.0

[iptables PATCH 2/3] xshared: Do not populate interface masks per default

[Phil Sutter]

These are needed by legacy variants only, so introduce a simplified
xtables_parse_interface() replacement which does not deal with them and
a small function which sets the mask based on given interface name for
use by legacy tools.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/ip6tables.c |  3 +++
 iptables/iptables.c  |  3 +++
 iptables/xshared.c   | 51 ++++++++++++++++++++++++++++++++++----------
 iptables/xshared.h   |  2 ++
 4 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c
index 21cd801892641..53eeb6e90bbb7 100644
--- a/iptables/ip6tables.c
+++ b/iptables/ip6tables.c
@@ -713,6 +713,9 @@ int do_command6(int argc, char *argv[], char **table,
 	smasks		= args.s.mask.v6;
 	dmasks		= args.d.mask.v6;
 
+	iface_to_mask(cs.fw6.ipv6.iniface, cs.fw6.ipv6.iniface_mask);
+	iface_to_mask(cs.fw6.ipv6.outiface, cs.fw6.ipv6.outiface_mask);
+
 	/* Attempt to acquire the xtables lock */
 	if (!restore)
 		xtables_lock_or_exit(wait);
diff --git a/iptables/iptables.c b/iptables/iptables.c
index ce65c30ad0b15..69dd289060528 100644
--- a/iptables/iptables.c
+++ b/iptables/iptables.c
@@ -706,6 +706,9 @@ int do_command4(int argc, char *argv[], char **table,
 	smasks		= args.s.mask.v4;
 	dmasks		= args.d.mask.v4;
 
+	iface_to_mask(cs.fw.ip.iniface, cs.fw.ip.iniface_mask);
+	iface_to_mask(cs.fw.ip.outiface, cs.fw.ip.outiface_mask);
+
 	/* Attempt to acquire the xtables lock */
 	if (!restore)
 		xtables_lock_or_exit(wait);
diff --git a/iptables/xshared.c b/iptables/xshared.c
index 839a5bb68776c..dca744773d773 100644
--- a/iptables/xshared.c
+++ b/iptables/xshared.c
@@ -1322,6 +1322,44 @@ void xtables_clear_iptables_command_state(struct iptables_command_state *cs)
 	}
 }
 
+void iface_to_mask(const char *iface, unsigned char *mask)
+{
+	unsigned int len = strlen(iface);
+
+	memset(mask, 0, IFNAMSIZ);
+
+	if (!len) {
+		return;
+	} else if (iface[len - 1] == '+') {
+		memset(mask, 0xff, len - 1);
+		/* Don't remove `+' here! -HW */
+	} else {
+		/* Include nul-terminator in match */
+		memset(mask, 0xff, len + 1);
+	}
+}
+
+static void parse_interface(const char *arg, char *iface)
+{
+	unsigned int len = strlen(arg);
+
+	memset(iface, 0, IFNAMSIZ);
+
+	if (!len)
+		return;
+	if (len >= IFNAMSIZ)
+		xtables_error(PARAMETER_PROBLEM,
+			      "interface name `%s' must be shorter than %d characters",
+			      arg, IFNAMSIZ);
+
+	if (strchr(arg, '/') || strchr(arg, ' '))
+		fprintf(stderr,
+			"Warning: weird character in interface `%s' ('/' and ' ' are not allowed by the kernel).\n",
+			arg);
+
+	strcpy(iface, arg);
+}
+
 void do_parse(int argc, char *argv[],
 	      struct xt_cmd_parse *p, struct iptables_command_state *cs,
 	      struct xtables_args *args)
@@ -1600,9 +1638,7 @@ void do_parse(int argc, char *argv[],
 			check_inverse(args, optarg, &invert, argc, argv);
 			set_option(p->ops, &cs->options, OPT_VIANAMEIN,
 				   &args->invflags, invert);
-			xtables_parse_interface(optarg,
-						args->iniface,
-						args->iniface_mask);
+			parse_interface(optarg, args->iniface);
 			break;
 
 		case 'o':
@@ -1610,9 +1646,7 @@ void do_parse(int argc, char *argv[],
 			check_inverse(args, optarg, &invert, argc, argv);
 			set_option(p->ops, &cs->options, OPT_VIANAMEOUT,
 				   &args->invflags, invert);
-			xtables_parse_interface(optarg,
-						args->outiface,
-						args->outiface_mask);
+			parse_interface(optarg, args->outiface);
 			break;
 
 		case 'f':
@@ -1873,12 +1907,7 @@ void ipv4_post_parse(int command, struct iptables_command_state *cs,
 	cs->fw.ip.invflags = args->invflags;
 
 	memcpy(cs->fw.ip.iniface, args->iniface, IFNAMSIZ);
-	memcpy(cs->fw.ip.iniface_mask,
-	       args->iniface_mask, IFNAMSIZ*sizeof(unsigned char));
-
 	memcpy(cs->fw.ip.outiface, args->outiface, IFNAMSIZ);
-	memcpy(cs->fw.ip.outiface_mask,
-	       args->outiface_mask, IFNAMSIZ*sizeof(unsigned char));
 
 	if (args->goto_set)
 		cs->fw.ip.flags |= IPT_F_GOTO;
diff --git a/iptables/xshared.h b/iptables/xshared.h
index 952fa8ab95fec..d2ce72e90824a 100644
--- a/iptables/xshared.h
+++ b/iptables/xshared.h
@@ -311,4 +311,6 @@ unsigned char *make_delete_mask(const struct xtables_rule_match *matches,
 				const struct xtables_target *target,
 				size_t entry_size);
 
+void iface_to_mask(const char *ifname, unsigned char *mask);
+
 #endif /* IPTABLES_XSHARED_H */
-- 
2.41.0

[iptables PATCH 3/3] nft: Leave interface masks alone when parsing from kernel

[Phil Sutter]

The mask is entirely unused by nft-variants in general and legacy ones
when printing. It is relevant only when inserting a legacy rule into
kernel as it doesn't detect the '+'-suffix.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 iptables/nft-ruleparse-arp.c    |  5 ++---
 iptables/nft-ruleparse-bridge.c |  3 ++-
 iptables/nft-ruleparse-ipv4.c   |  5 ++---
 iptables/nft-ruleparse-ipv6.c   |  3 +--
 iptables/nft-ruleparse.c        | 33 ++++++++-------------------------
 iptables/nft-ruleparse.h        |  3 +--
 6 files changed, 16 insertions(+), 36 deletions(-)

diff --git a/iptables/nft-ruleparse-arp.c b/iptables/nft-ruleparse-arp.c
index cd74747e91895..b0671cb0dfe8f 100644
--- a/iptables/nft-ruleparse-arp.c
+++ b/iptables/nft-ruleparse-arp.c
@@ -34,9 +34,8 @@ static void nft_arp_parse_meta(struct nft_xt_ctx *ctx,
 	struct arpt_entry *fw = &cs->arp;
 	uint8_t flags = 0;
 
-	if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface, fw->arp.iniface_mask,
-		   fw->arp.outiface, fw->arp.outiface_mask,
-		   &flags) == 0) {
+	if (parse_meta(ctx, e, reg->meta_dreg.key, fw->arp.iniface,
+		       fw->arp.outiface, &flags) == 0) {
 		fw->arp.invflags |= flags;
 		return;
 	}
diff --git a/iptables/nft-ruleparse-bridge.c b/iptables/nft-ruleparse-bridge.c
index c6cc9af5ea198..aee08b1396c1a 100644
--- a/iptables/nft-ruleparse-bridge.c
+++ b/iptables/nft-ruleparse-bridge.c
@@ -43,7 +43,8 @@ static void nft_bridge_parse_meta(struct nft_xt_ctx *ctx,
 		return;
 	}
 
-	if (parse_meta(ctx, e, reg->meta_dreg.key, iifname, NULL, oifname, NULL, &invflags) < 0) {
+	if (parse_meta(ctx, e, reg->meta_dreg.key,
+		       iifname, oifname, &invflags) < 0) {
 		ctx->errmsg = "unknown meta key";
 		return;
 	}
diff --git a/iptables/nft-ruleparse-ipv4.c b/iptables/nft-ruleparse-ipv4.c
index 491cbf42c7754..fe65b33cf847b 100644
--- a/iptables/nft-ruleparse-ipv4.c
+++ b/iptables/nft-ruleparse-ipv4.c
@@ -41,9 +41,8 @@ static void nft_ipv4_parse_meta(struct nft_xt_ctx *ctx,
 		break;
 	}
 
-	if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface, cs->fw.ip.iniface_mask,
-		   cs->fw.ip.outiface, cs->fw.ip.outiface_mask,
-		   &cs->fw.ip.invflags) == 0)
+	if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw.ip.iniface,
+		       cs->fw.ip.outiface, &cs->fw.ip.invflags) == 0)
 		return;
 
 	ctx->errmsg = "unknown ipv4 meta key";
diff --git a/iptables/nft-ruleparse-ipv6.c b/iptables/nft-ruleparse-ipv6.c
index 7581b8636e601..29b085802f76c 100644
--- a/iptables/nft-ruleparse-ipv6.c
+++ b/iptables/nft-ruleparse-ipv6.c
@@ -42,8 +42,7 @@ static void nft_ipv6_parse_meta(struct nft_xt_ctx *ctx,
 	}
 
 	if (parse_meta(ctx, e, reg->meta_dreg.key, cs->fw6.ipv6.iniface,
-		   cs->fw6.ipv6.iniface_mask, cs->fw6.ipv6.outiface,
-		   cs->fw6.ipv6.outiface_mask, &cs->fw6.ipv6.invflags) == 0)
+		       cs->fw6.ipv6.outiface, &cs->fw6.ipv6.invflags) == 0)
 		return;
 
 	ctx->errmsg = "unknown ipv6 meta key";
diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
index c8322f936acd9..0bbdf44fafe03 100644
--- a/iptables/nft-ruleparse.c
+++ b/iptables/nft-ruleparse.c
@@ -983,18 +983,14 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h,
 	return ret;
 }
 
-static void parse_ifname(const char *name, unsigned int len,
-			 char *dst, unsigned char *mask)
+static void parse_ifname(const char *name, unsigned int len, char *dst)
 {
 	if (len == 0)
 		return;
 
 	memcpy(dst, name, len);
-	if (name[len - 1] == '\0') {
-		if (mask)
-			memset(mask, 0xff, strlen(name) + 1);
+	if (name[len - 1] == '\0')
 		return;
-	}
 
 	if (len >= IFNAMSIZ)
 		return;
@@ -1004,12 +1000,9 @@ static void parse_ifname(const char *name, unsigned int len,
 	if (len >= IFNAMSIZ)
 		return;
 	dst[len++] = 0;
-	if (mask)
-		memset(mask, 0xff, len - 2);
 }
 
-static void parse_invalid_iface(char *iface, unsigned char *mask,
-				uint8_t *invflags, uint8_t invbit)
+static void parse_invalid_iface(char *iface, uint8_t *invflags, uint8_t invbit)
 {
 	if (*invflags & invbit || strcmp(iface, "INVAL/D"))
 		return;
@@ -1018,9 +1011,6 @@ static void parse_invalid_iface(char *iface, unsigned char *mask,
 	*invflags |= invbit;
 	iface[0] = '+';
 	iface[1] = '\0';
-	mask[0] = 0xff;
-	mask[1] = 0xff;
-	memset(mask + 2, 0, IFNAMSIZ - 2);
 }
 
 static uint32_t get_meta_mask(struct nft_xt_ctx *ctx, enum nft_registers sreg)
@@ -1071,8 +1061,7 @@ static int parse_meta_pkttype(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
 }
 
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
-	       char *iniface, unsigned char *iniface_mask,
-	       char *outiface, unsigned char *outiface_mask, uint8_t *invflags)
+	       char *iniface, char *outiface, uint8_t *invflags)
 {
 	uint32_t value;
 	const void *ifname;
@@ -1085,8 +1074,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 			*invflags |= IPT_INV_VIA_IN;
 
 		if_indextoname(value, iniface);
-
-		memset(iniface_mask, 0xff, strlen(iniface)+1);
 		break;
 	case NFT_META_OIF:
 		value = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_DATA);
@@ -1094,8 +1081,6 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 			*invflags |= IPT_INV_VIA_OUT;
 
 		if_indextoname(value, outiface);
-
-		memset(outiface_mask, 0xff, strlen(outiface)+1);
 		break;
 	case NFT_META_BRI_IIFNAME:
 	case NFT_META_IIFNAME:
@@ -1103,9 +1088,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 		if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
 			*invflags |= IPT_INV_VIA_IN;
 
-		parse_ifname(ifname, len, iniface, iniface_mask);
-		parse_invalid_iface(iniface, iniface_mask,
-				    invflags, IPT_INV_VIA_IN);
+		parse_ifname(ifname, len, iniface);
+		parse_invalid_iface(iniface, invflags, IPT_INV_VIA_IN);
 		break;
 	case NFT_META_BRI_OIFNAME:
 	case NFT_META_OIFNAME:
@@ -1113,9 +1097,8 @@ int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
 		if (nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP) == NFT_CMP_NEQ)
 			*invflags |= IPT_INV_VIA_OUT;
 
-		parse_ifname(ifname, len, outiface, outiface_mask);
-		parse_invalid_iface(outiface, outiface_mask,
-				    invflags, IPT_INV_VIA_OUT);
+		parse_ifname(ifname, len, outiface);
+		parse_invalid_iface(outiface, invflags, IPT_INV_VIA_OUT);
 		break;
 	case NFT_META_MARK:
 		parse_meta_mark(ctx, e);
diff --git a/iptables/nft-ruleparse.h b/iptables/nft-ruleparse.h
index 25ce05d2e8644..62c9160d77711 100644
--- a/iptables/nft-ruleparse.h
+++ b/iptables/nft-ruleparse.h
@@ -128,8 +128,7 @@ bool nft_rule_to_iptables_command_state(struct nft_handle *h,
 #define max(x, y) ((x) > (y) ? (x) : (y))
 
 int parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e, uint8_t key,
-	       char *iniface, unsigned char *iniface_mask, char *outiface,
-	       unsigned char *outiface_mask, uint8_t *invflags);
+	       char *iniface, char *outiface, uint8_t *invflags);
 
 int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
 		 struct iptables_command_state *cs);
-- 
2.41.0

Re: [iptables PATCH 0/3] Review interface parsing and printing

[Phil Sutter]

On Fri, Nov 24, 2023 at 12:28:31PM +0100, Phil Sutter wrote:
> Take advantage of the fact that interface name masks are needed only
> when submitting a legacy rule to the kernel. Drop all the code dealing
> with them and instead introduce a function to call from legacy variants
> if needed.
> 
> Phil Sutter (3):
>   xshared: Entirely ignore interface masks when saving rules
>   xshared: Do not populate interface masks per default
>   nft: Leave interface masks alone when parsing from kernel

Series applied.