xtables-config: priority has to be per-chain to support
To support NAT table chain configuration appropriately. Modify example
configuration file as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/etc/xtables.conf b/etc/xtables.conf
index 00b5df4..6d26ffe 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -1,24 +1,31 @@
-table raw prio -300 {
- chain PREROUTING hook NF_INET_PRE_ROUTING
- chain OUTPUT hook NF_INET_LOCAL_OUT
+table raw {
+ chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+ chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
}
-table mangle prio -150 {
- chain PREROUTING hook NF_INET_PRE_ROUTING
- chain INPUT hook NF_INET_LOCAL_IN
- chain FORWARD hook NF_INET_FORWARD
- chain OUTPUT hook NF_INET_LOCAL_OUT
- chain POSTROUTING hook NF_INET_POST_ROUTING
+table mangle {
+ chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+ chain INPUT hook NF_INET_LOCAL_IN prio -150
+ chain FORWARD hook NF_INET_FORWARD prio -150
+ chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+ chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
}
-table filter prio 0 {
- chain INPUT hook NF_INET_LOCAL_IN
- chain FORWARD hook NF_INET_FORWARD
- chain OUTPUT hook NF_INET_LOCAL_OUT
+table filter {
+ chain INPUT hook NF_INET_LOCAL_IN prio 0
+ chain FORWARD hook NF_INET_FORWARD prio 0
+ chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
}
-table security prio 150 {
- chain INPUT hook NF_INET_LOCAL_IN
- chain FORWARD hook NF_INET_FORWARD
- chain OUTPUT hook NF_INET_LOCAL_OUT
+table nat {
+ chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+ chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+ chain INPUT hook NF_INET_LOCAL_IN prio -100
+ chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+}
+
+table security {
+ chain INPUT hook NF_INET_LOCAL_IN prio 150
+ chain FORWARD hook NF_INET_FORWARD prio 150
+ chain OUTPUT hook NF_INET_LOCAL_OUT prio 150
}
diff --git a/iptables/xtables-config-parser.y b/iptables/xtables-config-parser.y
index fe5bcbf..ad5d624 100644
--- a/iptables/xtables-config-parser.y
+++ b/iptables/xtables-config-parser.y
@@ -105,12 +105,10 @@
line : table
;
-table : T_TABLE T_STRING T_PRIO T_INTEGER '{' chains '}'
+table : T_TABLE T_STRING '{' chains '}'
{
/* added in reverse order to pop it in order */
- void *data = stack_push(T_PRIO, sizeof(int32_t));
- stack_put_i32(data, $4);
- data = stack_push(T_TABLE, strlen($2));
+ void *data = stack_push(T_TABLE, strlen($2));
stack_put_str(data, $2);
}
;
@@ -119,10 +117,12 @@
| chains chain
;
-chain : T_CHAIN T_STRING T_HOOK T_STRING
+chain : T_CHAIN T_STRING T_HOOK T_STRING T_PRIO T_INTEGER
{
/* added in reverse order to pop it in order */
- void *data = stack_push(T_HOOK, strlen($4));
+ void *data = stack_push(T_PRIO, sizeof(int32_t));
+ stack_put_i32(data, $6);
+ data = stack_push(T_HOOK, strlen($4));
stack_put_str(data, $4);
data = stack_push(T_CHAIN, strlen($2));
stack_put_str(data, $2);
@@ -194,13 +194,13 @@
}
nft_chain_attr_set(chain, NFT_CHAIN_ATTR_TABLE,
(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+ nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
nft_chain_attr_set(chain, NFT_CHAIN_ATTR_NAME, e->data);
nft_chain_list_add(chain, chain_list);
break;
case T_HOOK:
nft_chain_attr_set_u32(chain, NFT_CHAIN_ATTR_HOOKNUM,
hooknametonum(e->data));
- nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
break;
default:
printf("unknown token type %d\n", e->token);
diff --git a/iptables/xtables-config.c b/iptables/xtables-config.c
index 16918bf..fce03a1 100644
--- a/iptables/xtables-config.c
+++ b/iptables/xtables-config.c
@@ -39,7 +39,9 @@
struct nft_table *table;
struct nft_chain *chain;
const char *filename = NULL;
- struct nft_handle h;
+ struct nft_handle h = {
+ .family = AF_INET,
+ };
if (argc > 2) {
fprintf(stderr, "Usage: %s [<config_file>]\n", argv[0]);