@@ -1563,7 +1563,10 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
return -EEXIST;
if (nlh->nlmsg_flags & NLM_F_REPLACE)
old_rule = rule;
- else
+ else if (nlh->nlmsg_flags & NLM_F_CREATE) {
+ old_rule = rule;
+ handle = nf_tables_alloc_handle(table);
+ } else
return -EOPNOTSUPP;
} else {
if (!create || nlh->nlmsg_flags & NLM_F_REPLACE)
@@ -1626,8 +1629,12 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
}
} else if (nlh->nlmsg_flags & NLM_F_APPEND)
list_add_tail_rcu(&rule->list, &chain->rules);
- else
- list_add_rcu(&rule->list, &chain->rules);
+ else {
+ if (old_rule)
+ list_add_rcu(&rule->list, &old_rule->list);
+ else
+ list_add_rcu(&rule->list, &chain->rules);
+ }
if (flags & NFT_RULE_F_COMMIT)
list_add(&rule->dirty_list, &chain->dirty_rules);
By providing a create command and specifying an handle, the rule is inserted after the rule with the provided handle. Signed-off-by: Eric Leblond <eric@regit.org> --- net/netfilter/nf_tables_api.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)