[iptables PATCH] xtables-translate: Fix chain type when translating nat table

[iptables PATCH] xtables-translate: Fix chain type when translating nat table

[Phil Sutter]

This makes the type of translated chains in nat table to be of type
'nat' instead of 'filter' which is incorrect.

Verified like so:

| $ iptables-restore-translate -f /dev/stdin <<EOF
| *nat
| :POSTROUTING ACCEPT [0:0]
| [0:0] -A POSTROUTING -j MASQUERADE
| COMMIT
| EOF
| # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
| add table ip nat
| add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
| add rule ip nat POSTROUTING counter masquerade

Ditto for ip6tables-restore-translate.

Signed-off-by: Phil Sutter <phil@nwl.cc>
---
This patch depends upon my previously submitted patch
"xtables-translate: Support setting standard chain policy".
---
 iptables/xtables-translate.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 0c706dcc2b9db..153bd6503c59b 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -352,17 +352,23 @@ static int xlate_chain_set(struct nft_handle *h, const char *table,
 			   const char *chain, const char *policy,
 			   const struct xt_counters *counters)
 {
-	printf("add chain %s %s %s ", family2str[h->family], table, chain);
+	const char *type = "filter";
+
+	if (strcmp(table, "nat") == 0)
+		type = "nat";
+
+	printf("add chain %s %s %s { type %s ",
+	       family2str[h->family], table, chain, type);
 	if (strcmp(chain, "PREROUTING") == 0)
-		printf("{ type filter hook prerouting priority 0; ");
+		printf("hook prerouting priority 0; ");
 	else if (strcmp(chain, "INPUT") == 0)
-		printf("{ type filter hook input priority 0; ");
+		printf("hook input priority 0; ");
 	else if (strcmp(chain, "FORWARD") == 0)
-		printf("{ type filter hook forward priority 0; ");
+		printf("hook forward priority 0; ");
 	else if (strcmp(chain, "OUTPUT") == 0)
-		printf("{ type filter hook output priority 0; ");
+		printf("hook output priority 0; ");
 	else if (strcmp(chain, "POSTROUTING") == 0)
-		printf("{ type filter hook postrouting priority 0; ");
+		printf("hook postrouting priority 0; ");
 
 	if (strcmp(policy, "ACCEPT") == 0)
 		printf("policy accept; ");
-- 
2.10.0

Re: [iptables PATCH] xtables-translate: Fix chain type when translating nat table

[Pablo Neira Ayuso]

On Mon, Nov 28, 2016 at 01:14:16PM +0100, Phil Sutter wrote:
> This makes the type of translated chains in nat table to be of type
> 'nat' instead of 'filter' which is incorrect.
> 
> Verified like so:
> 
> | $ iptables-restore-translate -f /dev/stdin <<EOF
> | *nat
> | :POSTROUTING ACCEPT [0:0]
> | [0:0] -A POSTROUTING -j MASQUERADE
> | COMMIT
> | EOF
> | # Translated by ./install/sbin/iptables-restore-translate v1.6.0 on Mon Nov 28 12:11:30 2016
> | add table ip nat
> | add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
> | add rule ip nat POSTROUTING counter masquerade
> 
> Ditto for ip6tables-restore-translate.

Also applied, thanks.