From: Pablo Neira Ayuso <pablo@soleta.eu>
Date: Tue, 16 Jul 2013 20:18:47 +0000 (+0200)
Subject: nft: fix built-in chain ordering of the nat table
X-Git-Tag: v1.6.0~111^2~79
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86eed10c9f2c42e0f50eb4e527a48ee9e63146f4;p=thirdparty%2Fiptables.git

nft: fix built-in chain ordering of the nat table

Should be:

% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

instead of:

% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
---

diff --git a/etc/xtables.conf b/etc/xtables.conf
index 1995b69f..6aee8aa8 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -20,9 +20,9 @@ family ipv4 {
 
 	table nat {
 		chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
-		chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
 		chain INPUT hook NF_INET_LOCAL_IN prio -100
 		chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+		chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
 	}
 
 	table security {
diff --git a/iptables/nft.c b/iptables/nft.c
index daa5478a..b9820f12 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -200,10 +200,10 @@ static struct builtin_table {
 		.name	= "nat",
 		.chains = {
 			{
-				.name	= "OUTPUT",
+				.name	= "PREROUTING",
 				.type	= "nat",
 				.prio	= -100, /* NF_IP_PRI_NAT_DST */
-				.hook	= NF_INET_LOCAL_OUT,
+				.hook	= NF_INET_PRE_ROUTING,
 			},
 			{
 				.name	= "INPUT",
@@ -211,18 +211,18 @@ static struct builtin_table {
 				.prio	= 100, /* NF_IP_PRI_NAT_SRC */
 				.hook	= NF_INET_LOCAL_IN,
 			},
-			{
-				.name	= "PREROUTING",
-				.type	= "nat",
-				.prio	= -100, /* NF_IP_PRI_NAT_DST */
-				.hook	= NF_INET_PRE_ROUTING,
-			},
 			{
 				.name	= "POSTROUTING",
 				.type	= "nat",
 				.prio	= 100, /* NF_IP_PRI_NAT_SRC */
 				.hook	= NF_INET_POST_ROUTING,
 			},
+			{
+				.name	= "OUTPUT",
+				.type	= "nat",
+				.prio	= -100, /* NF_IP_PRI_NAT_DST */
+				.hook	= NF_INET_LOCAL_OUT,
+			},
 		},
 	},
 };