On Fri, Nov 15, 2019 at 11:29:22AM +0100, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > The special nested attribute NFTA_RULE_COMPAT holds information about > > any present l4proto match (given via '-p' parameter) in input. The match > > is contained as meta expression as well, but some xtables extensions > > explicitly check it's value (see e.g. xt_TPROXY). > > > > This nested attribute is input only, the information is lost after > > parsing (and initialization of compat extensions). So in order to feed a > > rule back to kernel with zeroed counters, the attribute has to be > > reconstructed based on the rule's expressions. > > > > Other code paths are not affected since rule_to_cs() callback will > > populate respective fields in struct iptables_command_state and 'add' > > callback (which is the inverse to rule_to_cs()) calls add_compat() in > > any case. > > Reviewed-by: Florian Westphal <fw@xxxxxxxxx> Acked-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
