summaryrefslogtreecommitdiffstats
path: root/utils
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2019-11-15 10:47:25 +0100
committerPhil Sutter <phil@nwl.cc>2019-11-15 15:45:18 +0100
commit7a373f6683afb799c8387bdec1da6a07e9e55b33 (patch)
tree9ed419fb1b03a4014a9e80402b22399232801f31 /utils
parent7084d0b6c95b11f03b3ae979fe30b6918cb26542 (diff)
nft: Fix -Z for rules with NFTA_RULE_COMPAT
The special nested attribute NFTA_RULE_COMPAT holds information about any present l4proto match (given via '-p' parameter) in input. The match is contained as meta expression as well, but some xtables extensions explicitly check it's value (see e.g. xt_TPROXY). This nested attribute is input only, the information is lost after parsing (and initialization of compat extensions). So in order to feed a rule back to kernel with zeroed counters, the attribute has to be reconstructed based on the rule's expressions. Other code paths are not affected since rule_to_cs() callback will populate respective fields in struct iptables_command_state and 'add' callback (which is the inverse to rule_to_cs()) calls add_compat() in any case. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'utils')
0 files changed, 0 insertions, 0 deletions