xtables: Don't use native nftables comments

The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft didn't support multiple comments per rule anymore. This is
a compatibility issue without technical reason.

Leave conversion from nftables comment to libxt_comment in place so we
don't break running systems during an update.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libxt_comment.t b/extensions/libxt_comment.t
index f12cd66841e7f2f65219acf29d258f0743113e46..f0c8fb999401bdef7ffcce0357eed62a6a0fe4ec 100644 (file)
--- a/extensions/libxt_comment.t
+++ b/extensions/libxt_comment.t
@@ -1,6 +1,8 @@
 :INPUT,FORWARD,OUTPUT
 -m comment;;FAIL
 -m comment --comment;;FAIL
+-p tcp -m tcp --dport 22 -m comment --comment foo;=;OK
+-p tcp -m comment --comment foo -m tcp --dport 22;=;OK
 #
 # it fails with 256 characters
 #

diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index ffb439b4a1128ea8be659d550b9e91a643245709..4497eb9b9347c4ba18a7f32ec78d9c62f9201a09 100644 (file)
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -77,17 +77,9 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
        add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
-               /* Use nft built-in comments support instead of comment match */
-               if (strcmp(matchp->match->name, "comment") == 0) {
-                       ret = add_comment(r, (char *)matchp->match->m->data);
-                       if (ret < 0)
-                               goto try_match;
-               } else {
-try_match:
-                       ret = add_match(r, matchp->match->m);
-                       if (ret < 0)
-                               return ret;
-               }
+               ret = add_match(r, matchp->match->m);
+               if (ret < 0)
+                       return ret;
        }
 
        /* Counters need to me added before the target, otherwise they are

diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 7bacee4ab3a219465e7bc2146733d0fa50c2377e..cacb1c9e141f27c3840d3e34ddcf0c34215175c0 100644 (file)
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -66,17 +66,9 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
        add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
 
        for (matchp = cs->matches; matchp; matchp = matchp->next) {
-               /* Use nft built-in comments support instead of comment match */
-               if (strcmp(matchp->match->name, "comment") == 0) {
-                       ret = add_comment(r, (char *)matchp->match->m->data);
-                       if (ret < 0)
-                               goto try_match;
-               } else {
-try_match:
-                       ret = add_match(r, matchp->match->m);
-                       if (ret < 0)
-                               return ret;
-               }
+               ret = add_match(r, matchp->match->m);
+               if (ret < 0)
+                       return ret;
        }
 
        /* Counters need to me added before the target, otherwise they are

diff --git a/iptables/nft.c b/iptables/nft.c
index 0223c0ed10001175da5ecf8742a8a38c476742d7..7b6fb2b10686d077b568ed53a45cf826d0bd1352 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1129,33 +1129,6 @@ enum udata_type {
 };
 #define UDATA_TYPE_MAX (__UDATA_TYPE_MAX - 1)
 
-int add_comment(struct nftnl_rule *r, const char *comment)
-{
-       struct nftnl_udata_buf *udata;
-       uint32_t len;
-
-       if (nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len))
-               return -EALREADY;
-
-       udata = nftnl_udata_buf_alloc(NFT_USERDATA_MAXLEN);
-       if (!udata)
-               return -ENOMEM;
-
-       if (strnlen(comment, 255) == 255)
-               return -ENOSPC;
-
-       if (!nftnl_udata_put_strz(udata, UDATA_TYPE_COMMENT, comment))
-               return -ENOMEM;
-
-       nftnl_rule_set_data(r, NFTNL_RULE_USERDATA,
-                           nftnl_udata_buf_data(udata),
-                           nftnl_udata_buf_len(udata));
-
-       nftnl_udata_buf_free(udata);
-
-       return 0;
-}
-
 static int parse_udata_cb(const struct nftnl_udata *attr, void *data)
 {
        unsigned char *value = nftnl_udata_get(attr);

diff --git a/iptables/nft.h b/iptables/nft.h
index 711199948a89f5290091601fc7d88f9aca10cf54..bf60ab39436593b30ff04bd5e5f795660b0f5b53 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -121,7 +121,6 @@ int add_match(struct nftnl_rule *r, struct xt_entry_match *m);
 int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
-int add_comment(struct nftnl_rule *r, const char *comment);
 char *get_comment(const void *data, uint32_t data_len);
 
 enum nft_rule_print {