On Tue, Jan 15, 2019 at 11:23:05PM +0100, Phil Sutter wrote: > iptables-restore allows to insert rules at a certain position which is > problematic for iptables-nft to realize since rule position is not > determined by number but handle of previous or following rule and in > case the rules surrounding the new one are new as well, they don't have > a handle to refer to yet. > > Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When > inserting before a rule which does not have a handle, refer to it using > its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a > new one to it. > > The last used rule ID value is tracked in a new field of struct > nft_handle which is incremented before each use. Much nicer, thanks a lot for reworking this, Phil. Can you see any more problems with rule insertions at positions via iptables-restore? I guess we'll need a patch for nft too, will you give it a shot? Thanks.
