From d64ef34a99610a6fb54d43660ac31555da858231 Mon Sep 17 00:00:00 2001
From: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Date: Wed, 22 Jun 2016 19:07:01 +0200
Subject: iptables-compat: use nft built-in comments support

After this patch, iptables-compat uses nft built-in comments support
instead of comment match.

This change simplifies the treatment of comments in nft after load a
rule set through iptables-compat-restore.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/nft.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'iptables/nft.c')

diff --git a/iptables/nft.c b/iptables/nft.c
index 68b4da38..c81bb0e6 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -43,6 +43,7 @@
 #include <libnftnl/rule.h>
 #include <libnftnl/expr.h>
 #include <libnftnl/set.h>
+#include <libnftnl/udata.h>
 
 #include <netinet/in.h>	/* inet_ntoa */
 #include <arpa/inet.h>
@@ -1007,6 +1008,31 @@ int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes)
 	return 0;
 }
 
+enum udata_type {
+	UDATA_TYPE_COMMENT,
+	__UDATA_TYPE_MAX,
+};
+#define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
+
+int add_comment(struct nftnl_rule *r, const char *comment)
+{
+	struct nftnl_udata_buf *udata;
+
+	udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
+	if (!udata)
+		return -ENOMEM;
+
+	if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
+		return -ENOMEM;
+	nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
+			    nftnl_udata_buf_data(udata),
+			    nftnl_udata_buf_len(udata));
+
+	nftnl_udata_buf_free(udata);
+
+	return 0;
+}
+
 void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv)
 {
 	nftnl_rule_set_u32(r, NFTNL_RULE_COMPAT_PROTO, proto);
-- 
cgit v1.2.3