xtables-compat: fall back to comment match in case name is too long

... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 26d0d36c4749259687ee2c633d0a3d0180d567ce..e383cc9f5aa04e5e9e77af83d88015eabd1a293e 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -79,8 +79,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
                if (strcmp(matchp->match->name, "comment") == 0) {
                        ret = add_comment(r, (char *)matchp->match->m->data);
                        if (ret < 0)
-                               return ret;
+                               goto try_match;
                } else {
+try_match:
                        ret = add_match(r, matchp->match->m);
                        if (ret < 0)
                                return ret;

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index af5254226264665d0a4a800aff227a1b2db25bcd..33f77ebf563728b56965071b0acb33b92dedb235 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -67,8 +67,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
                if (strcmp(matchp->match->name, "comment") == 0) {
                        ret = add_comment(r, (char *)matchp->match->m->data);
                        if (ret < 0)
-                               return ret;
+                               goto try_match;
                } else {
+try_match:
                        ret = add_match(r, matchp->match->m);
                        if (ret < 0)
                                return ret;

diff --git a/iptables/nft.c b/iptables/nft.c
index e7cb827bb132778eacc0e8000616de583bca1d2e..7675925129b3ca10d1e77db56c2070a8ff6c458f 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1041,15 +1041,21 @@ enum udata_type {
 int add_comment(struct nftnl_rule *r, const char *comment)
 {
        struct nftnl_udata_buf *udata;
-       char comm[254];
+       uint32_t len;
+
+       if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len))
+               return -EALREADY;
 
        udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
        if (!udata)
                return -ENOMEM;
 
-       snprintf(comm, sizeof(comm), "%s", comment);
-       if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comm))
+       if (strnlen(comment, 255) == 255)
+               return -ENOSPC;
+
+       if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
                return -ENOMEM;
+
        nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
                            nftnl_udata_buf_data(udata),
                            nftnl_udata_buf_len(udata));