diff options
author | Thomas Woerner <twoerner@redhat.com> | 2015-07-21 15:45:41 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-07-23 16:55:04 +0200 |
commit | 8e1522698a7495002e5154f5643abb68e9c3a89a (patch) | |
tree | b1e1e33e1e2d28db6bb3019be6ea6a2e668ded7d | |
parent | c1ea18e0a4eda0dc0372fe87e246f0a5a8e50210 (diff) |
iptables-compat: Allow to insert into rule_count+1 position
iptables allows to insert a rule into the next non existing rule number but
iptables-compat does not allow to do this
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | iptables/nft.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c index 7cd56efa..fb6ef919 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1854,6 +1854,17 @@ int nft_rule_insert(struct nft_handle *h, const char *chain, r = nft_rule_find(h, list, chain, table, data, rulenum); if (r == NULL) { + /* special case: iptables allows to insert into + * rule_count + 1 position. + */ + r = nft_rule_find(h, list, chain, table, data, + rulenum - 1); + if (r != NULL) { + nft_rule_list_destroy(list); + return nft_rule_append(h, chain, table, data, + 0, verbose); + } + errno = ENOENT; goto err; } |