Translation is pretty simple due to nft's 'insert rule ... index'
support. Testing the translation is sadly not: index 1 vanishes (as it
should), higher indexes are rejected in replay mode since no rules
previously exist.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
extensions/libebt_ip.txlate | 2 +-
iptables/xtables-translate.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/extensions/libebt_ip.txlate b/extensions/libebt_ip.txlate
index 28996832225cb..44ce927614b57 100644
--- a/extensions/libebt_ip.txlate
+++ b/extensions/libebt_ip.txlate
@@ -4,7 +4,7 @@ nft 'add rule bridge filter FORWARD ip saddr != 192.168.0.0/24 counter accept'
ebtables-translate -I FORWARD -p ip --ip-dst 10.0.0.1
nft 'insert rule bridge filter FORWARD ip daddr 10.0.0.1 counter'
-ebtables-translate -I OUTPUT 3 -p ip -o eth0 --ip-tos 0xff
+ebtables-translate -I OUTPUT -p ip -o eth0 --ip-tos 0xff
nft 'insert rule bridge filter OUTPUT oifname "eth0" ether type ip @nh,8,8 0xff counter'
ebtables-translate -A FORWARD -p ip --ip-proto tcp --ip-dport 22
diff --git a/iptables/xtables-translate.c b/iptables/xtables-translate.c
index 22b2fbc869eed..88e0a6b639494 100644
--- a/iptables/xtables-translate.c
+++ b/iptables/xtables-translate.c
@@ -173,6 +173,8 @@ static int nft_rule_xlate_add(struct nft_handle *h,
tick,
append ? "add" : "insert",
family2str[h->family], p->table, p->chain);
+ if (!append && p->rulenum > 1)
+ printf("index %d ", p->rulenum);
printf("%s%s\n", xt_xlate_rule_get(xl), tick);
--
2.38.0
