On Mon, Jan 28, 2019 at 11:29:09AM +0100, Pablo Neira Ayuso wrote: > On Tue, Jan 15, 2019 at 11:23:05PM +0100, Phil Sutter wrote: > > iptables-restore allows to insert rules at a certain position which is > > problematic for iptables-nft to realize since rule position is not > > determined by number but handle of previous or following rule and in > > case the rules surrounding the new one are new as well, they don't have > > a handle to refer to yet. > > > > Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When > > inserting before a rule which does not have a handle, refer to it using > > its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a > > new one to it. > > > > The last used rule ID value is tracked in a new field of struct > > nft_handle which is incremented before each use. > > Much nicer, thanks a lot for reworking this, Phil. Yes, your RULE_POSITION suggestion was priceless, thanks a lot! > Can you see any more problems with rule insertions at positions via > iptables-restore? I can't think of any, but that doesn't necessarily mean there are none. :) > I guess we'll need a patch for nft too, will you give it a shot? I guess it is possible to create the same problems with 'nft -f' and separate 'add rule' calls containing 'index' reference. Though according to nft.8, 'index' has to be that of an existing rule. So in that sense it's rather a missing feature and I would prefer to treat it as such. Cheers, Phil
