diff options
author | Pablo M. Bermudo Garay <pablombg@gmail.com> | 2016-06-22 19:07:01 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-06-22 20:00:38 +0200 |
commit | d64ef34a99610a6fb54d43660ac31555da858231 (patch) | |
tree | e0199830bc3ac69aa9266bd1c7a40669be0b2401 /iptables/nft-ipv4.c | |
parent | 6223ead0d06b7c7630adfd8c384bd2f3ae1c65c7 (diff) |
iptables-compat: use nft built-in comments support
After this patch, iptables-compat uses nft built-in comments support
instead of comment match.
This change simplifies the treatment of comments in nft after load a
rule set through iptables-compat-restore.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv4.c')
-rw-r--r-- | iptables/nft-ipv4.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index cf985b73..814ca14d 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -31,6 +31,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) struct iptables_command_state *cs = data; struct xtables_rule_match *matchp; uint32_t op; + int ret; if (cs->fw.ip.iniface[0] != '\0') { op = nft_invflags2cmp(cs->fw.ip.invflags, IPT_INV_VIA_IN); @@ -74,8 +75,16 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags); for (matchp = cs->matches; matchp; matchp = matchp->next) { - if (add_match(r, matchp->match->m) < 0) - break; + /* Use nft built-in comments support instead of comment match */ + if (strcmp(matchp->match->name, "comment") == 0) { + ret = add_comment(r, (char *)matchp->match->m->data); + if (ret < 0) + return ret; + } else { + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; + } } /* Counters need to me added before the target, otherwise they are |