path: root/iptables/nft.h
diff options
authorPhil Sutter <>2019-01-15 23:23:05 +0100
committerPablo Neira Ayuso <>2019-01-28 11:26:59 +0100
commit7ea0b7d809229973d950ed99845bdd0b2eb4cbb7 (patch)
tree27407b3768fbfd8724aec85306ea83f485a2556f /iptables/nft.h
parent032dc4a18ab86173847b6016baf0819ccd7641c5 (diff)
xtables: Fix for inserting rule at wrong position
iptables-restore allows to insert rules at a certain position which is problematic for iptables-nft to realize since rule position is not determined by number but handle of previous or following rule and in case the rules surrounding the new one are new as well, they don't have a handle to refer to yet. Fix this by making use of NFTNL_RULE_POSITION_ID attribute: When inserting before a rule which does not have a handle, refer to it using its NFTNL_RULE_ID value. If the latter doesn't exist either, assign a new one to it. The last used rule ID value is tracked in a new field of struct nft_handle which is incremented before each use. Signed-off-by: Phil Sutter <> Signed-off-by: Pablo Neira Ayuso <>
Diffstat (limited to 'iptables/nft.h')
1 files changed, 1 insertions, 0 deletions
diff --git a/iptables/nft.h b/iptables/nft.h
index 97d73c8b..0726923a 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -32,6 +32,7 @@ struct nft_handle {
struct mnl_socket *nl;
uint32_t portid;
uint32_t seq;
+ uint32_t rule_id;
struct list_head obj_list;
int obj_list_num;
struct nftnl_batch *batch;