Comment match allocation in command_match() and
nft_rule_to_iptables_command_state() were misaligned in that the latter
set match_size to just what is required instead of what the match needs
at maximum like the further. This led to failure when comparing them
later and therefore a rule with a comment could not be deleted.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
Changes since v1:
- Use /bin/bash in testcase.
---
iptables/nft-shared.c | 3 ++-
.../shell/testcases/nft-only/0003delete-with-comment_0 | 10 ++++++++++
2 files changed, 12 insertions(+), 1 deletion(-)
create mode 100755 iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 4557f17d43630..c55c415f75e4c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -664,7 +664,8 @@ void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
}
memcpy(&m->data, get_comment(data, len), len);
- m->u.match_size = len + XT_ALIGN(sizeof(struct xt_entry_match));
+ m->u.match_size = match->size +
+ XT_ALIGN(sizeof(struct xt_entry_match));
m->u.user.revision = 0;
strcpy(m->u.user.name, match->name);
diff --git a/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0 b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
new file mode 100755
index 0000000000000..8851f80e69f86
--- /dev/null
+++ b/iptables/tests/shell/testcases/nft-only/0003delete-with-comment_0
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+[[ $XT_MULTI == */xtables-nft-multi ]] || { echo "skip $XT_MULTI"; exit 0; }
+
+for ipt in iptables ip6tables; do
+ $XT_MULTI $ipt -A INPUT -m comment --comment "foo bar" -j ACCEPT
+ $XT_MULTI $ipt -D INPUT -m comment --comment "foo bar" -j ACCEPT
+done
--
2.18.0
