From 0dee14880b7b149aa4fdc5045b005b9c6d7c6321 Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Fri, 4 Feb 2022 10:57:34 +0000
Subject: conntrack: T4165: Fix comment for correct delete custom rules

For correct deleting rules iptables "comment" should be in
the end of the line
Incorrect sequence:
-D VYATTA_CT_TIMEOUT -t raw -m comment --comment "timeout-10" -p tcp
Correct:
-D VYATTA_CT_TIMEOUT -t raw -p tcp -m comment --comment "timeout-10"
---
 lib/Vyatta/Conntrack/RuleCT.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/Vyatta/Conntrack/RuleCT.pm b/lib/Vyatta/Conntrack/RuleCT.pm
index e8d9626..965c9b7 100644
--- a/lib/Vyatta/Conntrack/RuleCT.pm
+++ b/lib/Vyatta/Conntrack/RuleCT.pm
@@ -63,7 +63,6 @@ sub rule {
   my $tcp_and_udp = 0;
   # set CLI rule num as comment
   my @level_nodes = split (' ', $self->{_comment});
-  $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" ";
   ($srcrule, $err_str) = $src->rule();
   if (defined($err_str)) {
         Vyatta::Config::outputError(["Conntrack"], "Conntrack config error: $err_str");
@@ -93,6 +92,8 @@ sub rule {
     $rule .= " $srcrule $dstrule ";
    }
 
+  $rule .= "-m comment --comment \"$level_nodes[2]-$level_nodes[5]\" ";
+
   return $rule;
 }
 
-- 
cgit v1.2.3