| Message ID | 20161128121416.27659-1-phil@nwl.cc |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Nov 28, 2016 at 01:14:16PM +0100, Phil Sutter wrote: > This makes the type of translated chains in nat table to be of type > 'nat' instead of 'filter' which is incorrect. > > Verified like so: > > | $ iptables-restore-translate -f /dev/stdin <<EOF > | *nat > | :POSTROUTING ACCEPT [0:0] > | [0:0] -A POSTROUTING -j MASQUERADE > | COMMIT > | EOF > | # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016 > | add table ip nat > | add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; } > | add rule ip nat POSTROUTING counter masquerade > > Ditto for ip6tables-restore-translate. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c index 0c706dcc2b9db..153bd6503c59b 100644 --- a/iptables/xtables-translate.c +++ b/iptables/xtables-translate.c @@ -352,17 +352,23 @@ static int xlate_chain_set(struct nft_handle *h, const char *table, const char *chain, const char *policy, const struct xt_counters *counters) { - printf("add chain %s %s %s ", family2str[h->family], table, chain); + const char *type = "filter"; + + if (strcmp(table, "nat") == 0) + type = "nat"; + + printf("add chain %s %s %s { type %s ", + family2str[h->family], table, chain, type); if (strcmp(chain, "PREROUTING") == 0) - printf("{ type filter hook prerouting priority 0; "); + printf("hook prerouting priority 0; "); else if (strcmp(chain, "INPUT") == 0) - printf("{ type filter hook input priority 0; "); + printf("hook input priority 0; "); else if (strcmp(chain, "FORWARD") == 0) - printf("{ type filter hook forward priority 0; "); + printf("hook forward priority 0; "); else if (strcmp(chain, "OUTPUT") == 0) - printf("{ type filter hook output priority 0; "); + printf("hook output priority 0; "); else if (strcmp(chain, "POSTROUTING") == 0) - printf("{ type filter hook postrouting priority 0; "); + printf("hook postrouting priority 0; "); if (strcmp(policy, "ACCEPT") == 0) printf("policy accept; ");
This makes the type of translated chains in nat table to be of type 'nat' instead of 'filter' which is incorrect. Verified like so: | $ iptables-restore-translate -f /dev/stdin <<EOF | *nat | :POSTROUTING ACCEPT [0:0] | [0:0] -A POSTROUTING -j MASQUERADE | COMMIT | EOF | # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016 | add table ip nat | add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; } | add rule ip nat POSTROUTING counter masquerade Ditto for ip6tables-restore-translate. Signed-off-by: Phil Sutter <phil@nwl.cc> --- This patch depends upon my previously submitted patch "xtables-translate: Support setting standard chain policy". --- iptables/xtables-translate.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-)