From d64ef34a99610a6fb54d43660ac31555da858231 Mon Sep 17 00:00:00 2001 From: "Pablo M. Bermudo Garay" Date: Wed, 22 Jun 2016 19:07:01 +0200 Subject: iptables-compat: use nft built-in comments support After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv6.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'iptables/nft-ipv6.c') diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index 11501189..bfbf8dff 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -30,6 +30,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) struct iptables_command_state *cs = data; struct xtables_rule_match *matchp; uint32_t op; + int ret; if (cs->fw6.ipv6.iniface[0] != '\0') { op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_IN); @@ -62,8 +63,16 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags); for (matchp = cs->matches; matchp; matchp = matchp->next) { - if (add_match(r, matchp->match->m) < 0) - break; + /* Use nft built-in comments support instead of comment match */ + if (strcmp(matchp->match->name, "comment") == 0) { + ret = add_comment(r, (char *)matchp->match->m->data); + if (ret < 0) + return ret; + } else { + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; + } } /* Counters need to me added before the target, otherwise they are -- cgit v1.2.3