From 7f2f23a8df3a1ef6b14173c874cf68b1d285c911 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thibaut=20VAR=C3=88NE?= <hacks@slashdirt.org>
Date: Sun, 13 Nov 2022 11:29:48 +0100
Subject: [PATCH] Insert tallow rule in first position

The purpose of tallow is to ban specific hosts. This ban should be
enacted as early as possible in the firwall, which is not achieved by
using "iptables -A", which *appends* at the end of the chain.

This patch ensures that the tallow rule is *inserted* at the top of the
INPUT chain, also matching the behavior implemented for firewall-cmd.

Fixes: #22 ("iptables rules order")
---
 src/tallow.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tallow.c b/src/tallow.c
index 58e0fb4..7e0de35 100644
--- a/src/tallow.c
+++ b/src/tallow.c
@@ -146,7 +146,7 @@ static void setup(void)
 			fprintf(stderr, "Unable to create ipv4 ipset.\n");
 			exit(EXIT_FAILURE);
 		}
-		if (ext("%s/iptables -t filter -A INPUT -m set --match-set tallow src -j DROP", ipt_path)) {
+		if (ext("%s/iptables -t filter -I INPUT 1 -m set --match-set tallow src -j DROP", ipt_path)) {
 			fprintf(stderr, "Unable to create iptables rule.\n");
 			exit(EXIT_FAILURE);
 		}
@@ -157,7 +157,7 @@ static void setup(void)
 				fprintf(stderr, "Unable to create ipv6 ipset.\n");
 				exit(EXIT_FAILURE);
 			}
-			if (ext("%s/ip6tables -t filter -A INPUT -m set --match-set tallow6 src -j DROP", ipt_path)) {
+			if (ext("%s/ip6tables -t filter -I INPUT 1 -m set --match-set tallow6 src -j DROP", ipt_path)) {
 				fprintf(stderr, "Unable to create ipt6ables rule.\n");
 				exit(EXIT_FAILURE);
 			}