diff options
author | Pablo M. Bermudo Garay <pablombg@gmail.com> | 2016-06-22 19:07:01 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-06-22 20:00:38 +0200 |
commit | d64ef34a99610a6fb54d43660ac31555da858231 (patch) | |
tree | e0199830bc3ac69aa9266bd1c7a40669be0b2401 /iptables/nft.c | |
parent | 6223ead0d06b7c7630adfd8c384bd2f3ae1c65c7 (diff) |
iptables-compat: use nft built-in comments support
After this patch, iptables-compat uses nft built-in comments support
instead of comment match.
This change simplifies the treatment of comments in nft after load a
rule set through iptables-compat-restore.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r-- | iptables/nft.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 68b4da38..c81bb0e6 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -43,6 +43,7 @@ #include <libnftnl/rule.h> #include <libnftnl/expr.h> #include <libnftnl/set.h> +#include <libnftnl/udata.h> #include <netinet/in.h> /* inet_ntoa */ #include <arpa/inet.h> @@ -1007,6 +1008,31 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes) return 0; } +enum udata_type { + UDATA_TYPE_COMMENT, + __UDATA_TYPE_MAX, +}; +#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) + +int add_comment(struct nftnl_rule *r, const char *comment) +{ + struct nftnl_udata_buf *udata; + + udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); + if (!udata) + return -ENOMEM; + + if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment)) + return -ENOMEM; + nftnl_rule_set_data(r, NFTNL_RULE_USERDATA, + nftnl_udata_buf_data(udata), + nftnl_udata_buf_len(udata)); + + nftnl_udata_buf_free(udata); + + return 0; +} + void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv) { nftnl_rule_set_u32(r, NFTNL_RULE_COMPAT_PROTO, proto); |