diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-07-19 18:42:30 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:39 +0100 |
| commit | cf95f347e52ca8badc6a7149045d9c09f4fa666d (patch) | |
| tree | 490999882d38e63641f251da48da718d267fc3df /iptables/xtables.c | |
| parent | 8dd2627afc462a2591c2f621743cae1a6b98d771 (diff) | |
xtables: add -I chain rulenum
This patch adds the nft_rule_insert function, which allows
us to insert rules at a given position.
The function nft_rule_add has been renamed to nft_rule_append.
This is possible thanks to Eric Leblond's (netfilter: nf_tables:
add insert operation) kernel patch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables.c')
| -rw-r--r-- | iptables/xtables.c | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/iptables/xtables.c b/iptables/xtables.c index a5a83c24..41a7f716 100644 --- a/iptables/xtables.c +++ b/iptables/xtables.c @@ -404,7 +404,7 @@ static int add_entry(const char *chain, const char *table, struct iptables_command_state *cs, - int family, + int rulenum, int family, const struct addr_mask s, const struct addr_mask d, bool verbose, struct nft_handle *h, bool append) @@ -420,8 +420,15 @@ add_entry(const char *chain, cs->fw.ip.dst.s_addr = d.addr.v4[j].s_addr; cs->fw.ip.dmsk.s_addr = d.mask.v4[j].s_addr; - ret = nft_rule_add(h, chain, table, - cs, append, 0, verbose); + if (append) { + ret = nft_rule_append(h, chain, table, + cs, 0, + verbose); + } else { + ret = nft_rule_insert(h, chain, table, + cs, rulenum, + verbose); + } } } else if (family == AF_INET6) { memcpy(&cs->fw6.ipv6.src, @@ -433,8 +440,15 @@ add_entry(const char *chain, &d.addr.v6[j], sizeof(struct in6_addr)); memcpy(&cs->fw6.ipv6.dmsk, &d.mask.v6[j], sizeof(struct in6_addr)); - ret = nft_rule_add(h, chain, table, - cs, append, 0, verbose); + if (append) { + ret = nft_rule_append(h, chain, table, + cs, append, + verbose); + } else { + ret = nft_rule_insert(h, chain, table, + cs, rulenum, + verbose); + } } } } @@ -1148,7 +1162,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) switch (command) { case CMD_APPEND: - ret = add_entry(chain, *table, &cs, h->family, + ret = add_entry(chain, *table, &cs, 0, h->family, args.s, args.d, cs.options&OPT_VERBOSE, h, true); break; @@ -1170,8 +1184,7 @@ int do_commandx(struct nft_handle *h, int argc, char *argv[], char **table) cs.options&OPT_VERBOSE, h); break; case CMD_INSERT: - /* FIXME insert at rulenum */ - ret = add_entry(chain, *table, &cs, h->family, + ret = add_entry(chain, *table, &cs, rulenum - 1, h->family, args.s, args.d, cs.options&OPT_VERBOSE, h, false); break; |