This series contains an improved approach at fixing the rule ordering issue when using rule insert (-I) commands in iptables-nft-restore input. This much less intrusive implementation leverages the pending support for NFTA_RULE_POSITION_ID to link new rules to other new ones in the same batch. A requirement for this to work is that all new rules are added to cache immediately, which in turn requires that newly added builtin chains are put in cache as well. This is achieved by patch 1. Patch 2 fixes the position of replaced rules in cache. It is possible to combine rule replace (-R) commands with rule insert (-I) ones in the same dump file, so the replaced ones need to be put in correct position in case a later rule should be inserted before them. Patch 3 finally adds the relevant code to reference a new rule from another new one. Phil Sutter (3): nft: Add new builtin chains to cache immediately xtables: Fix position of replaced rules in cache xtables: Fix for inserting rule at wrong position iptables/nft.c | 84 ++++++------- iptables/nft.h | 3 +- .../ipt-restore/0003-restore-ordering_0 | 117 ++++++++++++++++++ .../testcases/iptables/0005-rule-replace_0 | 38 ++++++ iptables/xtables-arp.c | 2 +- iptables/xtables-eb.c | 2 +- iptables/xtables.c | 4 +- 7 files changed, 202 insertions(+), 48 deletions(-) create mode 100755 iptables/tests/shell/testcases/ipt-restore/0003-restore-ordering_0 create mode 100755 iptables/tests/shell/testcases/iptables/0005-rule-replace_0 -- 2.20.1
