xtables-config: priority has to be per-chain to support To support NAT table chain configuration appropriately. Modify example configuration file as well. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

commit: c924c0cd07440aa9ce7465e2ba68fb266f07d7c3 [log] [tgz]
author: Pablo Neira Ayuso <pablo@netfilter.org> Sun Mar 10 11:43:32 2013 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> Mon Dec 30 23:50:27 2013 +0100
tree: 5ec709dd5a89fa8b80bec6d2ca0965d56634362e
parent: c1ee3f1849436d81579632a1cc8ba6a4b878fc3c [diff]
diff --git a/etc/xtables.conf b/etc/xtables.conf
index 00b5df4..6d26ffe 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf

@@ -1,24 +1,31 @@
-table raw prio -300 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table raw {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
 }
 
-table mangle prio -150 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
-	chain POSTROUTING hook NF_INET_POST_ROUTING
+table mangle {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+	chain INPUT hook NF_INET_LOCAL_IN prio -150
+	chain FORWARD hook NF_INET_FORWARD prio -150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
 }
 
-table filter prio 0 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table filter {
+	chain INPUT hook NF_INET_LOCAL_IN prio 0
+	chain FORWARD hook NF_INET_FORWARD prio 0
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
 }
 
-table security prio 150 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table nat {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+	chain INPUT hook NF_INET_LOCAL_IN prio -100
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+}
+
+table security {
+	chain INPUT hook NF_INET_LOCAL_IN prio 150
+	chain FORWARD hook NF_INET_FORWARD prio 150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 150
 }

diff --git a/iptables/xtables-config-parser.y b/iptables/xtables-config-parser.y
index fe5bcbf..ad5d624 100644
--- a/iptables/xtables-config-parser.y
+++ b/iptables/xtables-config-parser.y

@@ -105,12 +105,10 @@
 line		: table
 		;
 
-table		: T_TABLE T_STRING T_PRIO T_INTEGER '{' chains '}'
+table		: T_TABLE T_STRING '{' chains '}'
 		{
 			/* added in reverse order to pop it in order */
-			void *data = stack_push(T_PRIO, sizeof(int32_t));
-			stack_put_i32(data, $4);
-			data = stack_push(T_TABLE, strlen($2));
+			void *data = stack_push(T_TABLE, strlen($2));
 			stack_put_str(data, $2);
 		}
 		;
@@ -119,10 +117,12 @@
 		| chains chain
 		;
 
-chain		: T_CHAIN T_STRING T_HOOK T_STRING
+chain		: T_CHAIN T_STRING T_HOOK T_STRING T_PRIO T_INTEGER
 		{
 			/* added in reverse order to pop it in order */
-			void *data = stack_push(T_HOOK, strlen($4));
+			void *data = stack_push(T_PRIO, sizeof(int32_t));
+			stack_put_i32(data, $6);
+			data = stack_push(T_HOOK, strlen($4));
 			stack_put_str(data, $4);
 			data = stack_push(T_CHAIN, strlen($2));
 			stack_put_str(data, $2);
@@ -194,13 +194,13 @@
 			}
 			nft_chain_attr_set(chain, NFT_CHAIN_ATTR_TABLE,
 				(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+			nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
 			nft_chain_attr_set(chain, NFT_CHAIN_ATTR_NAME, e->data);
 			nft_chain_list_add(chain, chain_list);
 			break;
 		case T_HOOK:
 			nft_chain_attr_set_u32(chain, NFT_CHAIN_ATTR_HOOKNUM,
 						hooknametonum(e->data));
-			nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
 			break;
 		default:
 			printf("unknown token type %d\n", e->token);

diff --git a/iptables/xtables-config.c b/iptables/xtables-config.c
index 16918bf..fce03a1 100644
--- a/iptables/xtables-config.c
+++ b/iptables/xtables-config.c

@@ -39,7 +39,9 @@
 	struct nft_table *table;
 	struct nft_chain *chain;
 	const char *filename = NULL;
-	struct nft_handle h;
+	struct nft_handle h = {
+		.family = AF_INET,
+	};
 
 	if (argc > 2) {
 		fprintf(stderr, "Usage: %s [<config_file>]\n", argv[0]);
commit	c924c0cd07440aa9ce7465e2ba68fb266f07d7c3	[log] [tgz]
author	Pablo Neira Ayuso <pablo@netfilter.org>	Sun Mar 10 11:43:32 2013 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	Mon Dec 30 23:50:27 2013 +0100
tree	5ec709dd5a89fa8b80bec6d2ca0965d56634362e
parent	c1ee3f1849436d81579632a1cc8ba6a4b878fc3c [diff]