nft: fix built-in chain ordering of the nat table
Should be:
% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
instead of:
% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
diff --git a/etc/xtables.conf b/etc/xtables.conf
index 1995b69..6aee8aa 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -20,9 +20,9 @@
table nat {
chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
- chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
chain INPUT hook NF_INET_LOCAL_IN prio -100
chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+ chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
}
table security {
diff --git a/iptables/nft.c b/iptables/nft.c
index daa5478..b9820f1 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -200,10 +200,10 @@
.name = "nat",
.chains = {
{
- .name = "OUTPUT",
+ .name = "PREROUTING",
.type = "nat",
.prio = -100, /* NF_IP_PRI_NAT_DST */
- .hook = NF_INET_LOCAL_OUT,
+ .hook = NF_INET_PRE_ROUTING,
},
{
.name = "INPUT",
@@ -212,17 +212,17 @@
.hook = NF_INET_LOCAL_IN,
},
{
- .name = "PREROUTING",
- .type = "nat",
- .prio = -100, /* NF_IP_PRI_NAT_DST */
- .hook = NF_INET_PRE_ROUTING,
- },
- {
.name = "POSTROUTING",
.type = "nat",
.prio = 100, /* NF_IP_PRI_NAT_SRC */
.hook = NF_INET_POST_ROUTING,
},
+ {
+ .name = "OUTPUT",
+ .type = "nat",
+ .prio = -100, /* NF_IP_PRI_NAT_DST */
+ .hook = NF_INET_LOCAL_OUT,
+ },
},
},
};
