Phil Sutter <phil@xxxxxx> wrote: > The special nested attribute NFTA_RULE_COMPAT holds information about > any present l4proto match (given via '-p' parameter) in input. The match > is contained as meta expression as well, but some xtables extensions > explicitly check it's value (see e.g. xt_TPROXY). > > This nested attribute is input only, the information is lost after > parsing (and initialization of compat extensions). So in order to feed a > rule back to kernel with zeroed counters, the attribute has to be > reconstructed based on the rule's expressions. > > Other code paths are not affected since rule_to_cs() callback will > populate respective fields in struct iptables_command_state and 'add' > callback (which is the inverse to rule_to_cs()) calls add_compat() in > any case. Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
