@@ -8918,6 +8918,10 @@ static int nft_expr_track(struct nft_expr_track_ctx *ctx,
ret = expr->ops->track(ctx, &expr_track->expr[num_exprs], expr);
if (ret > 0)
return 1;
+ else if (ret < 0) {
+ expr_track->num_exprs--;
+ return 0;
+ }
switch (num_exprs) {
case 0:
@@ -734,6 +734,18 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = {
static struct nft_expr_type nft_match_type;
+static int nft_match_track(struct nft_expr_track_ctx *ctx,
+ struct nft_expr_track *track,
+ const struct nft_expr *expr)
+{
+ const struct xt_match *match = expr->ops->data;
+
+ if (!strcmp(match->name, "comment"))
+ return -1;
+
+ return 1;
+}
+
static const struct nft_expr_ops *
nft_match_select_ops(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
@@ -776,6 +788,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
ops->dump = nft_match_dump;
ops->validate = nft_match_validate;
ops->data = match;
+ ops->track = nft_match_track;
matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
if (matchsize > NFT_MATCH_LARGE_THRESH) {
Use tracking infrastructure to skip the comment match when building the ruleset blob, this restores the comment match suppression done in c828414ac935 ("netfilter: nft_compat: suppress comment match"). If .track returns -1, then skip the expression. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- v2: no changes net/netfilter/nf_tables_api.c | 4 ++++ net/netfilter/nft_compat.c | 13 +++++++++++++ 2 files changed, 17 insertions(+)