iptables-compat: Allow to insert into rule_count+1 position

iptables allows to insert a rule into the next non existing rule number but
iptables-compat does not allow to do this

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/nft.c b/iptables/nft.c
index 7cd56efa4f87bacd0d6a61f85a40b4207cbdf3e4..fb6ef9198872bc2bbf9c16e79858ab78d107ecf9 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1854,6 +1854,17 @@ int nft_rule_insert(struct nft_handle *h, const char *chain,
 
                r = nft_rule_find(h, list, chain, table, data, rulenum);
                if (r == NULL) {
+                       /* special case: iptables allows to insert into
+                        * rule_count + 1 position.
+                        */
+                       r = nft_rule_find(h, list, chain, table, data,
+                                         rulenum - 1);
+                       if (r != NULL) {
+                               nft_rule_list_destroy(list);
+                               return nft_rule_append(h, chain, table, data,
+                                                      0, verbose);
+                       }
+
                        errno = ENOENT;
                        goto err;
                }