iptables: nft: Add support for -R option

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>

diff --git a/iptables/nft.c b/iptables/nft.c
index ab9e4e402b4965a63d2c0b681996c29260444f41..3b5a5c1e2636b2df983fd7435e16cf250c38a1c2 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -639,7 +639,8 @@ static void add_counters(struct nft_rule *r, uint64_t packets, uint64_t bytes)
 
 int
 nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
-            struct iptables_command_state *cs, bool append, bool verbose)
+            struct iptables_command_state *cs,
+            bool append, uint16_t handle, bool verbose)
 {
        char buf[MNL_SOCKET_BUFFER_SIZE];
        struct nlmsghdr *nlh;
@@ -764,8 +765,16 @@ nft_rule_add(struct nft_handle *h, const char *chain, const char *table,
        }
 
        /* NLM_F_CREATE autoloads the built-in table if it does not exists */
-       nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE, AF_INET,
-                                       NLM_F_ACK|NLM_F_CREATE|flags, h->seq);
+       flags |= NLM_F_ACK|NLM_F_CREATE;
+
+       if (handle > 0) {
+               nft_rule_attr_set(r, NFT_RULE_ATTR_HANDLE, &handle);
+               flags |= NLM_F_REPLACE;
+       }
+
+       nlh = nft_rule_nlmsg_build_hdr(buf, NFT_MSG_NEWRULE,
+                                      AF_INET, flags, h->seq);
+
        nft_rule_nlmsg_build_payload(nlh, r);
 
        nft_rule_print_debug(r, nlh);
@@ -2327,17 +2336,16 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
                     const char *table, struct iptables_command_state *cs,
                     int rulenum, bool verbose)
 {
-       int ret;
+       int handle;
 
        nft_fn = nft_rule_replace;
 
-       ret = __nft_rule_check(h, chain, table,
-                              NULL, false, true, rulenum, verbose);
-       if (ret < 0)
-               return ret;
+       handle = __nft_rule_check(h, chain, table,
+                                 NULL, false, true, rulenum, verbose);
+       if (handle < 0)
+               return handle;
 
-       /* XXX needs to be inserted in position, this is appending */
-       return nft_rule_add(h, chain, table, cs, true, verbose);
+       return nft_rule_add(h, chain, table, cs, true, handle, verbose);
 }
 
 /*

diff --git a/iptables/nft.h b/iptables/nft.h
index f5a9efb834b3f1cecbae338c6ec084a14bbac1e8..474e652e7fb18679af8f97d5a83bccc34947600e 100644 (file)
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -39,7 +39,7 @@ int nft_chain_user_rename(struct nft_handle *h, const char *chain, const char *t
  */
 struct nft_rule;
 
-int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, bool verbose);
+int nft_rule_add(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool append, uint16_t handle, bool verbose);
 int nft_rule_check(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose);
 int nft_rule_delete(struct nft_handle *h, const char *chain, const char *table, struct iptables_command_state *cmd, bool verbose);
 int nft_rule_delete_num(struct nft_handle *h, const char *chain, const char *table, int rulenum, bool verbose);

diff --git a/iptables/xtables.c b/iptables/xtables.c
index a68757578f4cc755437e3ca5101c5aba0847698f..d1a917232a33c1ebabe77cee58ccd577351cc08c 100644 (file)
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -448,7 +448,8 @@ add_entry(const char *chain,
                        cs->fw.ip.dst.s_addr = daddrs[j].s_addr;
                        cs->fw.ip.dmsk.s_addr = dmasks[j].s_addr;
 
-                       ret = nft_rule_add(h, chain, table, cs, append, verbose);
+                       ret = nft_rule_add(h, chain, table,
+                                          cs, append, 0, verbose);
                }
        }