Fixes the output which was:
:OUTPUT ACCEPT [4271:670423]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [6434:597396]
Where it should be:
:INPUT ACCEPT [6434:597396]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4271:670423]
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@xxxxxxxxxxxxxxx>
---
iptables/nft.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 4ca1cec..2056032 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1124,8 +1124,21 @@ static void nft_chain_print_save(struct nft_chain *c, bool basechain)
int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list,
const char *table)
{
+ const struct builtin_table *t;
struct nft_chain_list_iter *iter;
struct nft_chain *c;
+ int i;
+
+ /* Let's print out builtin chains first, in right order */
+ t = nft_table_builtin_find(table);
+ if (t == NULL)
+ return 0;
+
+ for (i = 0; i < NF_IP_NUMHOOKS && t->chains[i].name != NULL; i++) {
+ c = nft_chain_list_find(list, table, t->chains[i].name);
+ if (c != NULL)
+ nft_chain_print_save(c, true);
+ }
iter = nft_chain_list_iter_create(list);
if (iter == NULL)
@@ -1135,13 +1148,15 @@ int nft_chain_save(struct nft_handle *h, struct nft_chain_list *list,
while (c != NULL) {
const char *chain_table =
nft_chain_attr_get_str(c, NFT_CHAIN_ATTR_TABLE);
- bool basechain = false;
if (strcmp(table, chain_table) != 0)
goto next;
- basechain = nft_chain_builtin(c);
- nft_chain_print_save(c, basechain);
+ /* We already handled builtin chain */
+ if (nft_chain_builtin(c))
+ goto next;
+
+ nft_chain_print_save(c, false);
next:
c = nft_chain_list_iter_next(iter);
}
--
1.8.2.1
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
