From 0da888807aa82a6ab327bc252f447df1ded81ddc Mon Sep 17 00:00:00 2001
From: Jeremy Sowden <jeremy@azazel.net>
Date: Thu, 5 Aug 2021 21:15:58 +0100
Subject: [PATCH v4 09/10] extensions: libxt_NFLOG: add a comment to the code
 explaining that we ignore `--nflog-range`.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 iptables/nft.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/iptables/nft.c b/iptables/nft.c
index 5778496e9ef2..3a3e70d5824f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1369,6 +1369,21 @@ int add_log(struct nftnl_rule *r, struct iptables_command_state *cs)
     }
 
     nftnl_expr_set_u16(expr, NFTNL_EXPR_LOG_GROUP, info->group);
+    /*
+     * In iptables-legacy, `--nflog-range` sets the length, and `--nflog-size`
+     * set the length _and_ the `XT_NFLOG_COPY_LEN` flag.  For iptables-nft, we
+     * cannot set a flag: setting the length always implies (the equivalent
+     * of) `--nflog-size` (`snaplen` in nft parlance).  This means we cannot
+     * emulate `--nflog-range`.  However, `--nflog-range` is broken and doesn't
+     * do anything.  If given `--nflog-range`, we have two choices: we can send
+     * the given length anyway, effectively converting it to `--nflog-size`, or
+     * we can ignore it.  `--nflog-size` was added explicitly to avoid changing
+     * the broken behaviour of `--nflog-range`:
+     *
+     *   https://lore.kernel.org/netfilter-devel/20160624204231.GA3062@akamai.com/
+     *
+     * so we ignore it.
+     */
     if (info->flags & XT_NFLOG_F_COPY_LEN)
             nftnl_expr_set_u32(expr, NFTNL_EXPR_LOG_SNAPLEN,
                                info->len);
-- 
2.30.2