nft: fix built-in chain ordering of the nat table

Should be:

% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

instead of:

% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>

diff --git a/etc/xtables.conf b/etc/xtables.conf
index 1995b69fcd2e65d4a57d133b5183fa372dba55c9..6aee8aa804f68b1ba31c94968138afb9cfdedc6a 100644 (file)
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -20,9 +20,9 @@ family ipv4 {
 
        table nat {
                chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
-               chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
                chain INPUT hook NF_INET_LOCAL_IN prio -100
                chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+               chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
        }
 
        table security {

diff --git a/iptables/nft.c b/iptables/nft.c
index daa5478afaa8fcb266acf5efa8e8e044eed67d4a..b9820f12c3c79fd280faaa22f8135554fc798f0f 100644 (file)
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -200,10 +200,10 @@ static struct builtin_table {
                .name   = "nat",
                .chains = {
                        {
-                               .name   = "OUTPUT",
+                               .name   = "PREROUTING",
                                .type   = "nat",
                                .prio   = -100, /* NF_IP_PRI_NAT_DST */
-                               .hook   = NF_INET_LOCAL_OUT,
+                               .hook   = NF_INET_PRE_ROUTING,
                        },
                        {
                                .name   = "INPUT",
@@ -211,18 +211,18 @@ static struct builtin_table {
                                .prio   = 100, /* NF_IP_PRI_NAT_SRC */
                                .hook   = NF_INET_LOCAL_IN,
                        },
-                       {
-                               .name   = "PREROUTING",
-                               .type   = "nat",
-                               .prio   = -100, /* NF_IP_PRI_NAT_DST */
-                               .hook   = NF_INET_PRE_ROUTING,
-                       },
                        {
                                .name   = "POSTROUTING",
                                .type   = "nat",
                                .prio   = 100, /* NF_IP_PRI_NAT_SRC */
                                .hook   = NF_INET_POST_ROUTING,
                        },
+                       {
+                               .name   = "OUTPUT",
+                               .type   = "nat",
+                               .prio   = -100, /* NF_IP_PRI_NAT_DST */
+                               .hook   = NF_INET_LOCAL_OUT,
+                       },
                },
        },
 };