Re: [nft PATCH 2/3] src: add xt compat support

From: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Netfilter Development Mailing list
	<netfilter-devel@vger.kernel.org>,
	Patrick McHardy <kaber@trash.net>
Subject: Re: [nft PATCH 2/3] src: add xt compat support
Date: Fri, 27 Mar 2015 13:00:37 +0100	[thread overview]
Message-ID: <CAOkSjBivwzs8X+y1PRqG8-hg4b-0QQ_NXfJ38YoT9V05vt7Bag@mail.gmail.com> (raw)
In-Reply-To: <20150325194441.GA26737@salvia>

On 25 March 2015 at 20:44, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 25, 2015 at 08:16:02PM +0100, Arturo Borrero Gonzalez wrote:
>> diff --git a/include/xt.h b/include/xt.h
>> new file mode 100644
>> index 0000000..414f3d1
>> --- /dev/null
>> +++ b/include/xt.h
>> @@ -0,0 +1,100 @@
>> +#ifndef _NFT_XT_H_
>> +#define _NFT_XT_H_
>> +
>> +#include <arpa/inet.h>
>> +#include <netinet/in.h>
>> +#include <limits.h>
>> +#include <net/if.h>
>> +#include <net/ethernet.h>
>> +
>> +struct netlink_linearize_ctx;
>> +struct netlink_parse_ctx;
>> +struct nft_rule_expr;
>> +struct rule_pp_ctx;
>> +struct rule;
>> +
>> +#ifdef HAVE_LIBXTABLES
>> +
>> +#include <linux/netfilter_ipv4/ip_tables.h>
>> +#include <linux/netfilter_ipv6/ip6_tables.h>
>> +#include <linux/netfilter_arp/arp_tables.h>
>> +
>> +/* Fake ebt_entry */
>> +struct ebt_entry {
>
> I think you can avoid this if you:
>
> #include <linux/netfilter_bridge/ebtables.h>
>

Can't include <linux/netfilter_bridge/ebtables.h> because it includes
<linux/if.h> and clash with <net/if.h>

I will put a comment in the code.

>
>> +                                    struct stmt *stmt, struct rule *rule) {}
>> +
>> +#endif /* HAVE_LIBXTABLES */
>> +
>> +#endif /* _NFT_XT_H_ */
>> +xt_opts                      :       /* empty */     { $$ = NULL; }
>> +                     |       XTOPTS          { $$ = $1; }
>> +                     ;
>> +
>> +xt_name                      :       STRING          { $$ = $1; }
>> +                     |       STATE           { $$ = xstrdup("state"); }
>> +                     |       COMMENT         { $$ = xstrdup("comment"); }
>> +                     |       AH              { $$ = xstrdup("ah"); }
>> +                     |       ESP             { $$ = xstrdup("esp"); }
>> +                     |       TCP             { $$ = xstrdup("tcp"); }
>> +                     |       UDP             { $$ = xstrdup("udp"); }
>> +                     |       UDPLITE         { $$ = xstrdup("udplite"); }
>> +                     |       SCTP            { $$ = xstrdup("sctp"); }
>> +                     |       ICMP            { $$ = xstrdup("icmp"); }
>> +                     |       IP              { $$ = xstrdup("ip"); }
>> +                     |       VLAN            { $$ = xstrdup("vlan"); }
>> +                     |       LOG             { $$ = xstrdup("log"); }
>> +                     |       _802_3          { $$ = xstrdup("802_3"); }
>
> This _802_3 should not be clashing with anything else, the problem is
> somewhere else.
>

% sudo nft add rule bridge filter FORWARD xt match 802_3 [--802_3-sap 0x01  ]
<cmdline>:1:41-43: Error: syntax error, unexpected number
add rule bridge filter FORWARD xt match 802_3 [--802_3-sap 0x01 ]
                                        ^^^

I have to admit I don't know where to look. Do you have any hint?
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html