| Message ID | 1437486342-6917-2-git-send-email-twoerner@redhat.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
diff --git a/iptables/nft.c b/iptables/nft.c index 7cd56ef..323f124 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -1854,6 +1854,16 @@ int nft_rule_insert(struct nft_handle *h, const char *chain, r = nft_rule_find(h, list, chain, table, data, rulenum); if (r == NULL) { + /* special case: iptables allows to insert into + rule_count+1 position */ + r = nft_rule_find(h, list, chain, table, data, + rulenum-1); + if (r != NULL) { + nft_rule_list_destroy(list); + return nft_rule_append(h, chain, table, data, + 0, verbose); + } + errno = ENOENT; goto err; }
iptables allows to insert a rule into the next non existing rule number but iptables-compat does not allow to do this Signed-off-by: Thomas Woerner <twoerner@redhat.com> --- :100644 100644 7cd56ef... 323f124... M iptables/nft.c iptables/nft.c | 10 ++++++++++ 1 file changed, 10 insertions(+)