We have to print nft at the very beginning for each rule that rules from
the expansion, otherwise the output is not correct:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
insert rule ip filter INPUT ip saddr 98.138.253.109 counter
insert rule ip filter INPUT ip saddr 98.139.183.24 counter
After this patch:
# iptables-translate -I INPUT -s yahoo.com
nft insert rule ip filter INPUT ip saddr 206.190.36.45 counter
nft insert rule ip filter INPUT ip saddr 98.138.253.109 counter
nft insert rule ip filter INPUT ip saddr 98.139.183.24 counter
Reported-by: Alexander Alemayhu <alexander@xxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
iptables/xtables-translate.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 153bd6503c59..1e35b90d77a2 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -195,6 +195,8 @@ static int xlate(struct nft_handle *h, struct nft_xt_cmd_parse *p,
}
break;
}
+ if (!cs->restore)
+ printf("nft ");
}
return ret;
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
