nft: fix built-in chain ordering of the nat table

Should be:

% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

instead of:

% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>

1 files changed, 8 insertions, 8 deletions

diff --git a/iptables/nft.c b/iptables/nft.c
index daa5478a..b9820f12 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -200,10 +200,10 @@ static struct builtin_table {
 		.name	= "nat",
 		.chains = {
 			{
-				.name	= "OUTPUT",
+				.name	= "PREROUTING",
 				.type	= "nat",
 				.prio	= -100, /* NF_IP_PRI_NAT_DST */
-				.hook	= NF_INET_LOCAL_OUT,
+				.hook	= NF_INET_PRE_ROUTING,
 			},
 			{
 				.name	= "INPUT",
@@ -212,17 +212,17 @@ static struct builtin_table {
 				.hook	= NF_INET_LOCAL_IN,
 			},
 			{
-				.name	= "PREROUTING",
-				.type	= "nat",
-				.prio	= -100, /* NF_IP_PRI_NAT_DST */
-				.hook	= NF_INET_PRE_ROUTING,
-			},
-			{
 				.name	= "POSTROUTING",
 				.type	= "nat",
 				.prio	= 100, /* NF_IP_PRI_NAT_SRC */
 				.hook	= NF_INET_POST_ROUTING,
 			},
+			{
+				.name	= "OUTPUT",
+				.type	= "nat",
+				.prio	= -100, /* NF_IP_PRI_NAT_DST */
+				.hook	= NF_INET_LOCAL_OUT,
+			},
 		},
 	},
 };