nft-compat: fix IP6T_F_GOTO flag handling

IPT_F_GOTO and IP6T_F_GOTO don't overlap, so this need special handling
to avoid misinterpretations.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 02645a2..d05e80e 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -76,7 +76,7 @@
 	if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
 		return -1;
 
-	return add_action(r, cs, cs->fw.ip.flags);
+	return add_action(r, cs, !!(cs->fw.ip.flags & IPT_F_GOTO));
 }
 
 static bool nft_ipv4_is_same(const void *data_a,
@@ -331,6 +331,12 @@
 
 	save_matches_and_target(cs->matches, cs->target,
 				cs->jumpto, cs->fw.ip.flags, &cs->fw);
+
+	if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+		printf("-%c %s", cs->fw.ip.flags & IPT_F_GOTO ? 'g' : 'j',
+		       cs->jumpto);
+	}
+	printf("\n");
 }
 
 static void nft_ipv4_proto_parse(struct iptables_command_state *cs,
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 7c8b43f..f08598a 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -59,7 +59,7 @@
 	if (add_counters(r, cs->counters.pcnt, cs->counters.bcnt) < 0)
 		return -1;
 
-	return add_action(r, cs, cs->fw6.ipv6.flags);
+	return add_action(r, cs, !!(cs->fw6.ipv6.flags & IP6T_F_GOTO));
 }
 
 static bool nft_ipv6_is_same(const void *data_a,
@@ -138,7 +138,7 @@
 	cs->jumpto = jumpto;
 
 	if (nft_goto)
-		cs->fw6.ipv6.flags |= IPT_F_GOTO;
+		cs->fw6.ipv6.flags |= IP6T_F_GOTO;
 }
 
 static void print_ipv6_addr(const struct iptables_command_state *cs,
@@ -195,10 +195,8 @@
 	if (format & FMT_NOTABLE)
 		fputs("  ", stdout);
 
-#ifdef IPT_F_GOTO
-	if (cs.fw6.ipv6.flags & IPT_F_GOTO)
+	if (cs.fw6.ipv6.flags & IP6T_F_GOTO)
 		printf("[goto] ");
-#endif
 
 	print_matches_and_target(&cs, format);
 
@@ -234,6 +232,12 @@
 
 	save_matches_and_target(cs->matches, cs->target,
 				cs->jumpto, cs->fw6.ipv6.flags, &cs->fw6);
+
+	if (cs->target == NULL && strlen(cs->jumpto) > 0) {
+		printf("-%c %s", cs->fw6.ipv6.flags & IP6T_F_GOTO ? 'g' : 'j',
+		       cs->jumpto);
+	}
+	printf("\n");
 }
 
 /* These are invalid numbers as upper layer protocol */
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index dce8a34..ada71e6 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -648,10 +648,7 @@
 
 		if (target->save != NULL)
 			target->save(fw, target->t);
-	} else if (strlen(jumpto) > 0)
-		printf("-%c %s", flags & IPT_F_GOTO ? 'g' : 'j', jumpto);
-
-	printf("\n");
+	}
 }
 
 void print_matches_and_target(struct iptables_command_state *cs,
diff --git a/iptables/nft.c b/iptables/nft.c
index 515d124..a45d599 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -864,7 +864,7 @@
 }
 
 int add_action(struct nft_rule *r, struct iptables_command_state *cs,
-	      int ip_flags)
+	       bool goto_set)
 {
        int ret = 0;
 
@@ -881,7 +881,7 @@
 		       ret = add_target(r, cs->target->t);
        } else if (strlen(cs->jumpto) > 0) {
 	       /* Not standard, then it's a go / jump to chain */
-	       if (ip_flags & IPT_F_GOTO)
+	       if (goto_set)
 		       ret = add_jumpto(r, cs->jumpto, NFT_GOTO);
 	       else
 		       ret = add_jumpto(r, cs->jumpto, NFT_JUMP);
diff --git a/iptables/nft.h b/iptables/nft.h
index 8670f34..9248876 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -107,7 +107,7 @@
 int add_match(struct nft_rule *r, struct xt_entry_match *m);
 int add_target(struct nft_rule *r, struct xt_entry_target *t);
 int add_jumpto(struct nft_rule *r, const char *name, int verdict);
-int add_action(struct nft_rule *r, struct iptables_command_state *cs, int ip_flags);
+int add_action(struct nft_rule *r, struct iptables_command_state *cs, bool goto_set);
 
 enum nft_rule_print {
 	NFT_RULE_APPEND,