xtables-translate: Support insert with index

Translation is pretty simple due to nft's 'insert rule ... index'
support. Testing the translation is sadly not: index 1 vanishes (as it
should), higher indexes are rejected in replay mode since no rules
previously exist.

Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
index 28996832225cb9bd3b945ac2fa030d2de5f3e793..44ce927614b57a91fb2c731880b795604c4bb0f8 100644 (file)
--- a/extensions/libebt_ip.txlate
+++ b/extensions/libebt_ip.txlate
@@ -4,7 +4,7 @@ nft 'add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept'
 ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
 nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
 
-ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
+ebtables-translate -I OUTPUT -p ip -o eth0 --ip-tos 0xff
 nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter'
 
 ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 22b2fbc869eedabfe434529c3a7a46302e1fe524..88e0a6b6394948da0fb9175b48405b4ff69630ab 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -173,6 +173,8 @@ static int nft_rule_xlate_add(struct nft_handle *h,
               tick,
               append ? "add" : "insert",
               family2str[h->family], p->table, p->chain);
+       if (!append && p->rulenum > 1)
+               printf("index %d ", p->rulenum);
 
        printf("%s%s\n", xt_xlate_rule_get(xl), tick);