diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-17 11:46:54 +0100 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-02-17 11:46:54 +0100 |
| commit | 577b7e20c2af1e6ea2bbe72e0c01802334fa4069 (patch) | |
| tree | cd8c4e9ecc1e0f455e68d48f122dbfaa3371f776 | |
| parent | c16bdec15137b241586310d0e61bc88cc3726004 (diff) | |
xtables-compat-restore: use correct hook priorities
Currently defaulted to 0, it should reflect the one from xtables
to get the right ordering.
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | iptables/xtables-translate.c | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 4f6a9caf..74efcb6c 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -349,11 +349,36 @@ static void xlate_table_new(struct nft_handle *h, const char *table) printf("add table %s %s\n", family2str[h->family], table); } +static int get_hook_prio(const char *table, const char *chain) +{ + int prio = 0; + + if (strcmp("nat", table) == 0) { + if (strcmp(chain, "PREROUTING") == 0) + prio = NF_IP_PRI_NAT_DST; + if (strcmp(chain, "INPUT") == 0) + prio = NF_IP_PRI_NAT_SRC; + if (strcmp(chain, "OUTPUT") == 0) + prio = NF_IP_PRI_NAT_DST; + if (strcmp(chain, "POSTROUTING") == 0) + prio = NF_IP_PRI_NAT_SRC; + } else if (strcmp("mangle", table) == 0) { + prio = NF_IP_PRI_MANGLE; + } else if (strcmp("raw", table) == 0) { + prio = NF_IP_PRI_RAW; + } else if (strcmp(chain, "security") == 0) { + prio = NF_IP_PRI_SECURITY; + } + + return prio; +} + static int xlate_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters) { const char *type = "filter"; + int prio; if (strcmp(table, "nat") == 0) type = "nat"; @@ -362,16 +387,17 @@ static int xlate_chain_set(struct nft_handle *h, const char *table, printf("add chain %s %s %s { type %s ", family2str[h->family], table, chain, type); + prio = get_hook_prio(table, chain); if (strcmp(chain, "PREROUTING") == 0) - printf("hook prerouting priority 0; "); + printf("hook prerouting priority %d; ", prio); else if (strcmp(chain, "INPUT") == 0) - printf("hook input priority 0; "); + printf("hook input priority %d; ", prio); else if (strcmp(chain, "FORWARD") == 0) - printf("hook forward priority 0; "); + printf("hook forward priority %d; ", prio); else if (strcmp(chain, "OUTPUT") == 0) - printf("hook output priority 0; "); + printf("hook output priority %d; ", prio); else if (strcmp(chain, "POSTROUTING") == 0) - printf("hook postrouting priority 0; "); + printf("hook postrouting priority %d; ", prio); if (strcmp(policy, "ACCEPT") == 0) printf("policy accept; "); |