summaryrefslogtreecommitdiffstats
path: root/iptables/nft.c
diff options
context:
space:
mode:
authorPablo M. Bermudo Garay <pablombg@gmail.com>2016-06-22 19:07:01 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2016-06-22 20:00:38 +0200
commitd64ef34a99610a6fb54d43660ac31555da858231 (patch)
treee0199830bc3ac69aa9266bd1c7a40669be0b2401 /iptables/nft.c
parent6223ead0d06b7c7630adfd8c384bd2f3ae1c65c7 (diff)
iptables-compat: use nft built-in comments support
After this patch, iptables-compat uses nft built-in comments support instead of comment match. This change simplifies the treatment of comments in nft after load a rule set through iptables-compat-restore. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/nft.c')
-rw-r--r--iptables/nft.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 68b4da38..c81bb0e6 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -43,6 +43,7 @@
#include <libnftnl/rule.h>
#include <libnftnl/expr.h>
#include <libnftnl/set.h>
+#include <libnftnl/udata.h>
#include <netinet/in.h> /* inet_ntoa */
#include <arpa/inet.h>
@@ -1007,6 +1008,31 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes)
return 0;
}
+enum udata_type {
+ UDATA_TYPE_COMMENT,
+ __UDATA_TYPE_MAX,
+};
+#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
+
+int add_comment(struct nftnl_rule *r, const char *comment)
+{
+ struct nftnl_udata_buf *udata;
+
+ udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
+ if (!udata)
+ return -ENOMEM;
+
+ if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
+ return -ENOMEM;
+ nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
+ nftnl_udata_buf_data(udata),
+ nftnl_udata_buf_len(udata));
+
+ nftnl_udata_buf_free(udata);
+
+ return 0;
+}
+
void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv)
{
nftnl_rule_set_u32(r, NFTNL_RULE_COMPAT_PROTO, proto);