iptables-compat: Increase rule number only for the selected table and chain

This patch fixes the rule number handling in nft_rule_find and __nft_rule_list.
The rule number is only valid in the selected table and chain and therefore may
not be increased for other tables or chains.

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index fb6ef9198872bc2bbf9c16e79858ab78d107ecf9..183f17cad95e1ad8aee242d4cf54486bdae586b3 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1746,17 +1746,17 @@ nft_rule_find(struct nft_handle *h, struct nft_rule_list *list,
 
                if (rulenum >= 0) {
                        /* Delete by rule number case */
-                       if (rule_ctr != rulenum)
-                               goto next;
-                       found = true;
-                       break;
+                       if (rule_ctr == rulenum) {
+                           found = true;
+                           break;
+                       }
                } else {
                        found = h->ops->rule_find(h->ops, r, data);
                        if (found)
                                break;
                }
-next:
                rule_ctr++;
+next:
                r = nft_rule_list_iter_next(iter);
        }
 
@@ -1966,12 +1966,12 @@ __nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
                const char *rule_chain =
                        nft_rule_attr_get_str(r, NFT_RULE_ATTR_CHAIN);
 
-               rule_ctr++;
-
                if (strcmp(table, rule_table) != 0 ||
                    strcmp(chain, rule_chain) != 0)
                        goto next;
 
+               rule_ctr++;
+
                if (rulenum > 0 && rule_ctr != rulenum) {
                        /* List by rule number case */
                        goto next;