summaryrefslogtreecommitdiffstats
path: root/iptables
diff options
context:
space:
mode:
authorThomas Woerner <twoerner@redhat.com>2015-07-21 15:45:41 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2015-07-23 16:55:04 +0200
commit8e1522698a7495002e5154f5643abb68e9c3a89a (patch)
treeb1e1e33e1e2d28db6bb3019be6ea6a2e668ded7d /iptables
parentc1ea18e0a4eda0dc0372fe87e246f0a5a8e50210 (diff)
iptables-compat: Allow to insert into rule_count+1 position
iptables allows to insert a rule into the next non existing rule number but iptables-compat does not allow to do this Signed-off-by: Thomas Woerner <twoerner@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables')
-rw-r--r--iptables/nft.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/iptables/nft.c b/iptables/nft.c
index 7cd56efa..fb6ef919 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1854,6 +1854,17 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
r = nft_rule_find(h, list, chain, table, data, rulenum);
if (r == NULL) {
+ /* special case: iptables allows to insert into
+ * rule_count + 1 position.
+ */
+ r = nft_rule_find(h, list, chain, table, data,
+ rulenum - 1);
+ if (r != NULL) {
+ nft_rule_list_destroy(list);
+ return nft_rule_append(h, chain, table, data,
+ 0, verbose);
+ }
+
errno = ENOENT;
goto err;
}