From c8b015fe875f6cf6d6d1e09dd326af84d36dd3b7 Mon Sep 17 00:00:00 2001
From: aapostoliuk <a.apostoliuk@vyos.io>
Date: Fri, 10 Feb 2023 15:38:05 +0200
Subject: conntrack: T4993: Fix comment for correct delete ignore rules

For correct deleting rules iptables "comment" should be in
the end of the line
Incorrect:
-D VYATTA_CT_IGNORE -t raw -m comment --comment "ignore-10" -p udp
Correct:
-D VYATTA_CT_IGNORE -t raw -p udp -m comment --comment "ignore-10"
---
 lib/Vyatta/Conntrack/RuleIgnore.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/Vyatta/Conntrack/RuleIgnore.pm b/lib/Vyatta/Conntrack/RuleIgnore.pm
index 55a2315..0bef8c2 100644
--- a/lib/Vyatta/Conntrack/RuleIgnore.pm
+++ b/lib/Vyatta/Conntrack/RuleIgnore.pm
@@ -26,8 +26,7 @@ sub rule {
   my $tcp_and_udp = 0;
   # set CLI rule num as comment
   my @level_nodes = split (' ', $self->{_comment});
-  $rule .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" ";
-  
+
   if (defined($self->{_interface})) {
     $rule .= " -i $self->{_interface} ";
   }
@@ -58,6 +57,7 @@ sub rule {
   } else {
     $rule .= " $srcrule $dstrule ";
    }
+  $rule .= " -m comment --comment \"$level_nodes[2]-$level_nodes[4]\" ";
   return $rule;
 }
 
-- 
cgit v1.2.3