On Tue, Mar 07, 2017 at 05:17:29PM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 07, 2017 at 04:35:07PM +0100, Phil Sutter wrote: > > While translating a conntrack state match in old syntax, matches are > > looked up by name, only. This returned the revision 0 entry since > > matches are registered in reverse order of appearance in the array > > passed to xtables_register_matches(). The problem is that revision 0 > > doesn't define an xlate callback. > > > > Fix this by reordering the matches in conntrack_mt_reg so that the > > highest revision one is found first. > > Applied, thanks Phil. Wait. Do you mean this case? # iptables-translate -I INPUT -m state --state NEW nft insert rule ip filter INPUT ct state new counter Hm, this works here. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
