From 86eed10c9f2c42e0f50eb4e527a48ee9e63146f4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 16 Jul 2013 22:18:47 +0200 Subject: nft: fix built-in chain ordering of the nat table Should be: % iptables -L -n -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination instead of: % xtables -L -n -t nat Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Reported-by: Tomasz Bursztyka Signed-off-by: Pablo Neira Ayuso --- iptables/nft.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'iptables') diff --git a/iptables/nft.c b/iptables/nft.c index daa5478a..b9820f12 100644 --- a/iptables/nft.c +++ b/iptables/nft.c @@ -200,10 +200,10 @@ static struct builtin_table { .name = "nat", .chains = { { - .name = "OUTPUT", + .name = "PREROUTING", .type = "nat", .prio = -100, /* NF_IP_PRI_NAT_DST */ - .hook = NF_INET_LOCAL_OUT, + .hook = NF_INET_PRE_ROUTING, }, { .name = "INPUT", @@ -211,18 +211,18 @@ static struct builtin_table { .prio = 100, /* NF_IP_PRI_NAT_SRC */ .hook = NF_INET_LOCAL_IN, }, - { - .name = "PREROUTING", - .type = "nat", - .prio = -100, /* NF_IP_PRI_NAT_DST */ - .hook = NF_INET_PRE_ROUTING, - }, { .name = "POSTROUTING", .type = "nat", .prio = 100, /* NF_IP_PRI_NAT_SRC */ .hook = NF_INET_POST_ROUTING, }, + { + .name = "OUTPUT", + .type = "nat", + .prio = -100, /* NF_IP_PRI_NAT_DST */ + .hook = NF_INET_LOCAL_OUT, + }, }, }, }; -- cgit v1.2.3