On Tue, Jul 16, 2013 at 03:38:50PM +0300, Tomasz Bursztyka wrote: > Fixes an output bug, it was: > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > where it should be: > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination I have just checked this. The order is fine except by the nat table, that one has been corrected it here: http://git.netfilter.org/iptables-nftables/commit/?id=990b5aec1df02450545b57b94d3c960d9b7b1188 However, if the xtables.conf file is used, the order was reversed so I could reproduce exactly the same output that you posted here. I have fixed that by fixing the semantically of nft_*_list_add in libnftables to prepend, instead of appending. Now we have nft_*_list_add_tail, I have adapted iptables-nftables to use add_tail when needed: http://git.netfilter.org/iptables-nftables/commit/?id=5e6ed2aae9e4a8ec0a340036f485c2567635eca9 Those should be enough to resolve this issue. Thanks for the initial patch to address this issue. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
