From ccf154d7420c07b6e6febc1c3b8b31d2bd1adbe6 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 27 Nov 2018 20:07:11 +0100 Subject: xtables: Don't use native nftables comments The problem with converting libxt_comment into nftables comment is that rules change when parsing from kernel due to comment match being moved to the end of the match list. And since match ordering matters, the rule may not be found anymore when checking or deleting. Apart from that, iptables-nft didn't support multiple comments per rule anymore. This is a compatibility issue without technical reason. Leave conversion from nftables comment to libxt_comment in place so we don't break running systems during an update. Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- iptables/nft-ipv4.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) (limited to 'iptables/nft-ipv4.c') diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index ffb439b4..4497eb9b 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data) add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO); for (matchp = cs->matches; matchp; matchp = matchp->next) { - /* Use nft built-in comments support instead of comment match */ - if (strcmp(matchp->match->name, "comment") == 0) { - ret = add_comment(r, (char *)matchp->match->m->data); - if (ret < 0) - goto try_match; - } else { -try_match: - ret = add_match(r, matchp->match->m); - if (ret < 0) - return ret; - } + ret = add_match(r, matchp->match->m); + if (ret < 0) + return ret; } /* Counters need to me added before the target, otherwise they are -- cgit v1.2.3