git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Tue, 27 Nov 2018 19:07:11 +0000 (20:07 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 27 Nov 2018 19:46:26 +0000 (20:46 +0100)
commit	ccf154d7420c07b6e6febc1c3b8b31d2bd1adbe6
tree	f197af81ce1b071b2a34e8f563a02aec3f6daa00	tree
parent	2ed6c85f8743a83d2b302bf6bd8d16b5efa3bb14	commit \| diff

xtables: Don't use native nftables comments

The problem with converting libxt_comment into nftables comment is that
rules change when parsing from kernel due to comment match being moved
to the end of the match list. And since match ordering matters, the rule
may not be found anymore when checking or deleting. Apart from that,
iptables-nft didn't support multiple comments per rule anymore. This is
a compatibility issue without technical reason.

Leave conversion from nftables comment to libxt_comment in place so we
don't break running systems during an update.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

extensions/libxt_comment.t		diff \| blob \| blame \| history
iptables/nft-ipv4.c		diff \| blob \| blame \| history
iptables/nft-ipv6.c		diff \| blob \| blame \| history
iptables/nft.c		diff \| blob \| blame \| history
iptables/nft.h		diff \| blob \| blame \| history