diff options
-rw-r--r-- | extensions/libxt_comment.t | 2 | ||||
-rw-r--r-- | iptables/nft-ipv4.c | 14 | ||||
-rw-r--r-- | iptables/nft-ipv6.c | 14 | ||||
-rw-r--r-- | iptables/nft.c | 27 | ||||
-rw-r--r-- | iptables/nft.h | 1 |
5 files changed, 8 insertions, 50 deletions
diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t index f12cd668..f0c8fb99 100644 --- a/extensions/libxt_comment.t +++ b/extensions/libxt_comment.t @@ -1,6 +1,8 @@ :INPUT,FORWARD,OUTPUT -m comment;;FAIL -m comment --comment;;FAIL +-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK +-p tcp -m comment --comment foo -m tcp --dport 22;=;OK # # it fails with 256 characters # diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index ffb439b4..4497eb9b 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { - /* Use nft built-in comments support instead of comment match */ - if (strcmp(matchp->match->name, "comment") == 0) { - ret = add_comment(r, (char *)matchp->match->m->data); - if (ret < 0) - goto try_match; - } else { -try_match: - ret = add_match(r, matchp->match->m); - if (ret < 0) - return ret; - } + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; } /* Counters need to me added before the target, otherwise they are diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 7bacee4a..cacb1c9e 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -66,17 +66,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { - /* Use nft built-in comments support instead of comment match */ - if (strcmp(matchp->match->name, "comment") == 0) { - ret = add_comment(r, (char *)matchp->match->m->data); - if (ret < 0) - goto try_match; - } else { -try_match: - ret = add_match(r, matchp->match->m); - if (ret < 0) - return ret; - } + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; } /* Counters need to me added before the target, otherwise they are diff --git a/iptables/nft.c b/iptables/nft.c index 0223c0ed..7b6fb2b1 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1129,33 +1129,6 @@ enum udata_type { }; #define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1) -int add_comment(struct nftnl_rule *r, const char *comment) -{ - struct nftnl_udata_buf *udata; - uint32_t len; - - if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len)) - return -EALREADY; - - udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN); - if (!udata) - return -ENOMEM; - - if (strnlen(comment, 255) == 255) - return -ENOSPC; - - if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment)) - return -ENOMEM; - - nftnl_rule_set_data(r, NFTNL_RULE_USERDATA, - nftnl_udata_buf_data(udata), - nftnl_udata_buf_len(udata)); - - nftnl_udata_buf_free(udata); - - return 0; -} - static int parse_udata_cb(const struct nftnl_udata *attr, void *data) { unsigned char *value = nftnl_udata_get(attr); diff --git a/iptables/nft.h b/iptables/nft.h index 71119994..bf60ab39 100644 --- a/iptables/nft.h +++ b/iptables/nft.h @@ -121,7 +121,6 @@ int add_match(struct nftnl_rule *r, struct xt_entry_match *m); int add_target(struct nftnl_rule *r, struct xt_entry_target *t); int add_jumpto(struct nftnl_rule *r, const char *name, int verdict); int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set); -int add_comment(struct nftnl_rule *r, const char *comment); char *get_comment(const void *data, uint32_t data_len); enum nft_rule_print { |