util/linuxfw: insert rather than append nftables DNAT rule (tailscale#11303)

irbekrm · web-flow · commit 097c5ed92764 · 2024-02-29T16:53:43.000Z
Ensure that the latest DNATNonTailscaleTraffic rule gets inserted on top of any pre-existing rules. Updates tailscale#11281 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go
@@ -173,7 +173,7 @@ func (n *nftablesRunner) DNATNonTailscaleTraffic(tunname string, dst netip.Addr)
 			},
 		},
 	}
-	n.conn.AddRule(dnatRule)
+	n.conn.InsertRule(dnatRule)
 	return n.conn.Flush()
 }
 

Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,7 @@ func (n *nftablesRunner) DNATNonTailscaleTraffic(tunname string, dst netip.Addr)`
`173`	`173`	`},`
`174`	`174`	`},`
`175`	`175`	`}`
`176`		`- n.conn.AddRule(dnatRule)`
	`176`	`+ n.conn.InsertRule(dnatRule)`
`177`	`177`	`return n.conn.Flush()`
`178`	`178`	`}`
`179`	`179`