iptables-translate: print nft command for each expand rules via dns names

We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 insert rule ip filter INPUT ip saddr 98.139.183.24 counter

After this patch:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter

Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 2 insertions, 0 deletions

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 76ca666b..d9885f20 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -195,6 +195,8 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 			}
 			break;
 		}
+		if (!cs->restore)
+			printf("nft ");
 	}
 
 	return ret;