]> git.ipfire.org Git - thirdparty/iptables.git/commitdiff
projects / thirdparty / iptables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f1cd86d)
xtables-translate: Fix chain type when translating nat table
authorPhil Sutter <phil@nwl.cc>
Mon, 28 Nov 2016 12:14:16 +0000 (13:14 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 29 Nov 2016 22:03:51 +0000 (23:03 +0100)
This makes the type of translated chains in nat table to be of type
'nat' instead of 'filter' which is incorrect.

Verified like so:

| $ iptables-restore-translate -f /dev/stdin <<EOF
| *nat
| :POSTROUTING ACCEPT [0:0]
| [0:0] -A POSTROUTING -j MASQUERADE
| COMMIT
| EOF
| # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
| add table ip nat
| add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
| add rule ip nat POSTROUTING counter masquerade

Ditto for ip6tables-restore-translate.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
iptables/xtables-translate.c patch | blob | blame | history

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 0c706dcc2b9dbb4c8a4a13a68428f2be014041cc..153bd6503c59be5efb5ec59f40ef4df32f1f1294 100644 (file)
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -352,17 +352,23 @@ static int xlate_chain_set(struct nft_handle *h, const char *table,
                           const char *chain, const char *policy,
                           const struct xt_counters *counters)
 {
-       printf("add chain %s %s %s ", family2str[h->family], table, chain);
+       const char *type = "filter";
+
+       if (strcmp(table, "nat") == 0)
+               type = "nat";
+
+       printf("add chain %s %s %s { type %s ",
+              family2str[h->family], table, chain, type);
        if (strcmp(chain, "PREROUTING") == 0)
-               printf("{ type filter hook prerouting priority 0; ");
+               printf("hook prerouting priority 0; ");
        else if (strcmp(chain, "INPUT") == 0)
-               printf("{ type filter hook input priority 0; ");
+               printf("hook input priority 0; ");
        else if (strcmp(chain, "FORWARD") == 0)
-               printf("{ type filter hook forward priority 0; ");
+               printf("hook forward priority 0; ");
        else if (strcmp(chain, "OUTPUT") == 0)
-               printf("{ type filter hook output priority 0; ");
+               printf("hook output priority 0; ");
        else if (strcmp(chain, "POSTROUTING") == 0)
-               printf("{ type filter hook postrouting priority 0; ");
+               printf("hook postrouting priority 0; ");
 
        if (strcmp(policy, "ACCEPT") == 0)
                printf("policy accept; ");
Mirror of git://git.netfilter.org/iptables