From c924c0cd07440aa9ce7465e2ba68fb266f07d7c3 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 10 Mar 2013 11:43:32 +0100
Subject: xtables-config: priority has to be per-chain to support

To support NAT table chain configuration appropriately. Modify example
configuration file as well.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 etc/xtables.conf | 41 ++++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

(limited to 'etc')

diff --git a/etc/xtables.conf b/etc/xtables.conf
index 00b5df4f..6d26ffe4 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -1,24 +1,31 @@
-table raw prio -300 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table raw {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
 }
 
-table mangle prio -150 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
-	chain POSTROUTING hook NF_INET_POST_ROUTING
+table mangle {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+	chain INPUT hook NF_INET_LOCAL_IN prio -150
+	chain FORWARD hook NF_INET_FORWARD prio -150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
 }
 
-table filter prio 0 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table filter {
+	chain INPUT hook NF_INET_LOCAL_IN prio 0
+	chain FORWARD hook NF_INET_FORWARD prio 0
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
 }
 
-table security prio 150 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table nat {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+	chain INPUT hook NF_INET_LOCAL_IN prio -100
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+}
+
+table security {
+	chain INPUT hook NF_INET_LOCAL_IN prio 150
+	chain FORWARD hook NF_INET_FORWARD prio 150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 150
 }
-- 
cgit v1.2.3