iptables allows to insert a rule into the next non existing rule number but
iptables-compat does not allow to do this
Signed-off-by: Thomas Woerner <twoerner@xxxxxxxxxx>
---
:100644 100644 7cd56ef... 323f124... M iptables/nft.c
iptables/nft.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index 7cd56ef..323f124 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1854,6 +1854,16 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
r = nft_rule_find(h, list, chain, table, data, rulenum);
if (r == NULL) {
+ /* special case: iptables allows to insert into
+ rule_count+1 position */
+ r = nft_rule_find(h, list, chain, table, data,
+ rulenum-1);
+ if (r != NULL) {
+ nft_rule_list_destroy(list);
+ return nft_rule_append(h, chain, table, data,
+ 0, verbose);
+ }
+
errno = ENOENT;
goto err;
}
--
2.4.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
