summaryrefslogtreecommitdiffstats
path: root/iptables/nft-ipv6.c
diff options
context:
space:
mode:
authorPablo M. Bermudo Garay <pablombg@gmail.com>2016-06-22 19:07:01 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2016-06-22 20:00:38 +0200
commitd64ef34a99610a6fb54d43660ac31555da858231 (patch)
treee0199830bc3ac69aa9266bd1c7a40669be0b2401 /iptables/nft-ipv6.c
parent6223ead0d06b7c7630adfd8c384bd2f3ae1c65c7 (diff)
iptables-compat: use nft built-in comments support
After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft-ipv6.c')
-rw-r--r--iptables/nft-ipv6.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 11501189..bfbf8dff 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -30,6 +30,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
struct iptables_command_state *cs = data;
struct xtables_rule_match *matchp;
uint32_t op;
+ int ret;
if (cs->fw6.ipv6.iniface[0] != '\0') {
op = nft_invflags2cmp(cs->fw6.ipv6.invflags, IPT_INV_VIA_IN);
@@ -62,8 +63,16 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
- if (add_match(r, matchp->match->m) < 0)
- break;
+ /* Use nft built-in comments support instead of comment match */
+ if (strcmp(matchp->match->name, "comment") == 0) {
+ ret = add_comment(r, (char *)matchp->match->m->data);
+ if (ret < 0)
+ return ret;
+ } else {
+ ret = add_match(r, matchp->match->m);
+ if (ret < 0)
+ return ret;
+ }
}
/* Counters need to me added before the target, otherwise they are