xtables-compat: fix comments listing

ip[6]tables-compat -L was not printing the comments since commit
d64ef34a9961 ("iptables-compat: use nft built-in comments support").

This patch solves the issue.

Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4007cbccf850713d6a52e5f5a3c1b97e695329d1..68e5c55d2c61e4c7815334cdc4d8522ccbabe5fd 100644 (file)
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -525,6 +525,32 @@ void nft_rule_to_iptables_command_state(struct nftnl_rule *r,
 
        nftnl_expr_iter_destroy(iter);
 
+       if (nftnl_rule_is_set(r, NFTNL_RULE_USERDATA)) {
+               const void *data;
+               uint32_t len;
+               struct xtables_match *match;
+               struct xt_entry_match *m;
+
+               data = nftnl_rule_get_data(r, NFTNL_RULE_USERDATA, &len);
+               match = xtables_find_match("comment", XTF_TRY_LOAD,
+                                          &cs->matches);
+               if (match == NULL)
+                       return;
+
+               m = calloc(1, sizeof(struct xt_entry_match) + len);
+               if (m == NULL) {
+                       fprintf(stderr, "OOM");
+                       exit(EXIT_FAILURE);
+               }
+
+               memcpy(&m->data, get_comment(data, len), len);
+               m->u.match_size = len + XT_ALIGN(sizeof(struct xt_entry_match));
+               m->u.user.revision = 0;
+               strcpy(m->u.user.name, match->name);
+
+               match->m = m;
+       }
+
        if (cs->target != NULL)
                cs->jumpto = cs->target->name;
        else if (cs->jumpto != NULL)

diff --git a/iptables/nft.c b/iptables/nft.c
index c81bb0e60c01a4ccf70636bb0dfd3abe30ed18fd..05ba57a3a867036bbd1159152ae6209b60dc1bc3 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1033,6 +1033,38 @@ int add_comment(struct nftnl_rule *r, const char *comment)
        return 0;
 }
 
+static int parse_udata_cb(const struct nftnl_udata *attr, void *data)
+{
+       unsigned char *value = nftnl_udata_get(attr);
+       uint8_t type = nftnl_udata_type(attr);
+       uint8_t len = nftnl_udata_len(attr);
+       const struct nftnl_udata **tb = data;
+
+       switch (type) {
+       case UDATA_TYPE_COMMENT:
+               if (value[len - 1] != '\0')
+                       return -1;
+               break;
+       default:
+               return 0;
+       }
+       tb[type] = attr;
+       return 0;
+}
+
+char *get_comment(const void *data, uint32_t data_len)
+{
+       const struct nftnl_udata *tb[UDATA_TYPE_MAX + 1] = {};
+
+       if (nftnl_udata_parse(data, data_len, parse_udata_cb, tb) < 0)
+               return NULL;
+
+       if (!tb[UDATA_TYPE_COMMENT])
+               return NULL;
+
+       return nftnl_udata_get(tb[UDATA_TYPE_COMMENT]);
+}
+
 void add_compat(struct nftnl_rule *r, uint32_t proto, bool inv)
 {
        nftnl_rule_set_u32(r, NFTNL_RULE_COMPAT_PROTO, proto);

diff --git a/iptables/nft.h b/iptables/nft.h
index 8867434030442b47cff821479c2b3610f55bf0bf..52f213637a2d6b051e46d120ff067f3b0703ea88 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -105,6 +105,7 @@ int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
 int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
 int add_comment(struct nftnl_rule *r, const char *comment);
+char *get_comment(const void *data, uint32_t data_len);
 
 enum nft_rule_print {
        NFT_RULE_APPEND,