From c6df55d6ebbe6102ac5136ae38813bea42d8c782 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 8 Mar 2017 14:16:09 +0100
Subject: iptables-translate: print nft command for each expand rules via dns
 names

We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 insert rule ip filter INPUT ip saddr 98.139.183.24 counter

After this patch:

 # iptables-translate -I INPUT -s yahoo.com
 nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
 nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
 nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter

Reported-by: Alexander Alemayhu <alexander@alemayhu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 iptables/xtables-translate.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'iptables/xtables-translate.c')

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 76ca666b..d9885f20 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -195,6 +195,8 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
 			}
 			break;
 		}
+		if (!cs->restore)
+			printf("nft ");
 	}
 
 	return ret;
-- 
cgit v1.2.3