From 097c5ed9276454936cfd219845a9b608744794da Mon Sep 17 00:00:00 2001
From: Irbe Krumina <irbe@tailscale.com>
Date: Thu, 29 Feb 2024 16:53:43 +0000
Subject: [PATCH] util/linuxfw: insert rather than append nftables DNAT rule
 (#11303)

Ensure that the latest DNATNonTailscaleTraffic rule
gets inserted on top of any pre-existing rules.

Updates tailscale/tailscale#11281

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---
 util/linuxfw/nftables_runner.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go
index c40508f15..bca882fce 100644
--- a/util/linuxfw/nftables_runner.go
+++ b/util/linuxfw/nftables_runner.go
@@ -173,7 +173,7 @@ func (n *nftablesRunner) DNATNonTailscaleTraffic(tunname string, dst netip.Addr)
 			},
 		},
 	}
-	n.conn.AddRule(dnatRule)
+	n.conn.InsertRule(dnatRule)
 	return n.conn.Flush()
 }