diff options
| author | Phil Sutter <phil@nwl.cc> | 2016-11-28 13:14:16 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-11-29 23:03:51 +0100 |
| commit | 92a3d0898d6a046cfc8c90757bdc08094413c79e (patch) | |
| tree | fc85b92091825bb7d46231e102382d1caf7e3b0d | |
| parent | f1cd86ddcf1726b91aedb9ef916b380edc8c2b61 (diff) | |
xtables-translate: Fix chain type when translating nat table
This makes the type of translated chains in nat table to be of type
'nat' instead of 'filter' which is incorrect.
Verified like so:
| $ iptables-restore-translate -f /dev/stdin <<EOF
| *nat
| :POSTROUTING ACCEPT [0:0]
| [0:0] -A POSTROUTING -j MASQUERADE
| COMMIT
| EOF
| # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
| add table ip nat
| add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
| add rule ip nat POSTROUTING counter masquerade
Ditto for ip6tables-restore-translate.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | iptables/xtables-translate.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 0c706dcc..153bd650 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -352,17 +352,23 @@ static int xlate_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters) { - printf("add chain %s %s %s ", family2str[h->family], table, chain); + const char *type = "filter"; + + if (strcmp(table, "nat") == 0) + type = "nat"; + + printf("add chain %s %s %s { type %s ", + family2str[h->family], table, chain, type); if (strcmp(chain, "PREROUTING") == 0) - printf("{ type filter hook prerouting priority 0; "); + printf("hook prerouting priority 0; "); else if (strcmp(chain, "INPUT") == 0) - printf("{ type filter hook input priority 0; "); + printf("hook input priority 0; "); else if (strcmp(chain, "FORWARD") == 0) - printf("{ type filter hook forward priority 0; "); + printf("hook forward priority 0; "); else if (strcmp(chain, "OUTPUT") == 0) - printf("{ type filter hook output priority 0; "); + printf("hook output priority 0; "); else if (strcmp(chain, "POSTROUTING") == 0) - printf("{ type filter hook postrouting priority 0; "); + printf("hook postrouting priority 0; "); if (strcmp(policy, "ACCEPT") == 0) printf("policy accept; "); |