3 files changed, 34 insertions, 25 deletions
diff --git a/etc/xtables.conf b/etc/xtables.conf
index 00b5df4f..6d26ffe4 100644
--- a/etc/xtables.conf
+++ b/etc/xtables.conf
@@ -1,24 +1,31 @@
-table raw prio -300 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table raw {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -300
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -300
 }
 
-table mangle prio -150 {
-	chain PREROUTING hook NF_INET_PRE_ROUTING
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
-	chain POSTROUTING hook NF_INET_POST_ROUTING
+table mangle {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -150
+	chain INPUT hook NF_INET_LOCAL_IN prio -150
+	chain FORWARD hook NF_INET_FORWARD prio -150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio -150
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio -150
 }
 
-table filter prio 0 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table filter {
+	chain INPUT hook NF_INET_LOCAL_IN prio 0
+	chain FORWARD hook NF_INET_FORWARD prio 0
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 0
 }
 
-table security prio 150 {
-	chain INPUT hook NF_INET_LOCAL_IN
-	chain FORWARD hook NF_INET_FORWARD
-	chain OUTPUT hook NF_INET_LOCAL_OUT
+table nat {
+	chain PREROUTING hook NF_INET_PRE_ROUTING prio -100
+	chain POSTROUTING hook NF_INET_POST_ROUTING prio 100
+	chain INPUT hook NF_INET_LOCAL_IN prio -100
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 100
+}
+
+table security {
+	chain INPUT hook NF_INET_LOCAL_IN prio 150
+	chain FORWARD hook NF_INET_FORWARD prio 150
+	chain OUTPUT hook NF_INET_LOCAL_OUT prio 150
 }
diff --git a/iptables/xtables-config-parser.y b/iptables/xtables-config-parser.y
index fe5bcbf1..ad5d624b 100644
--- a/iptables/xtables-config-parser.y
+++ b/iptables/xtables-config-parser.y
@@ -105,12 +105,10 @@ lines		: line
 line		: table
 		;
 
-table		: T_TABLE T_STRING T_PRIO T_INTEGER '{' chains '}'
+table		: T_TABLE T_STRING '{' chains '}'
 		{
 			/* added in reverse order to pop it in order */
-			void *data = stack_push(T_PRIO, sizeof(int32_t));
-			stack_put_i32(data, $4);
-			data = stack_push(T_TABLE, strlen($2));
+			void *data = stack_push(T_TABLE, strlen($2));
 			stack_put_str(data, $2);
 		}
 		;
@@ -119,10 +117,12 @@ chains		: chain
 		| chains chain
 		;
 
-chain		: T_CHAIN T_STRING T_HOOK T_STRING
+chain		: T_CHAIN T_STRING T_HOOK T_STRING T_PRIO T_INTEGER
 		{
 			/* added in reverse order to pop it in order */
-			void *data = stack_push(T_HOOK, strlen($4));
+			void *data = stack_push(T_PRIO, sizeof(int32_t));
+			stack_put_i32(data, $6);
+			data = stack_push(T_HOOK, strlen($4));
 			stack_put_str(data, $4);
 			data = stack_push(T_CHAIN, strlen($2));
 			stack_put_str(data, $2);
@@ -194,13 +194,13 @@ int xtables_config_parse(char *filename, struct nft_table_list *table_list,
 			}
 			nft_chain_attr_set(chain, NFT_CHAIN_ATTR_TABLE,
 				(char *)nft_table_attr_get(table, NFT_TABLE_ATTR_NAME));
+			nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
 			nft_chain_attr_set(chain, NFT_CHAIN_ATTR_NAME, e->data);
 			nft_chain_list_add(chain, chain_list);
 			break;
 		case T_HOOK:
 			nft_chain_attr_set_u32(chain, NFT_CHAIN_ATTR_HOOKNUM,
 						hooknametonum(e->data));
-			nft_chain_attr_set_s32(chain, NFT_CHAIN_ATTR_PRIO, prio);
 			break;
 		default:
 			printf("unknown token type %d\n", e->token);
diff --git a/iptables/xtables-config.c b/iptables/xtables-config.c
index 16918bf6..fce03a19 100644
--- a/iptables/xtables-config.c
+++ b/iptables/xtables-config.c
@@ -39,7 +39,9 @@ int xtables_config_main(int argc, char *argv[])
 	struct nft_table *table;
 	struct nft_chain *chain;
 	const char *filename = NULL;
-	struct nft_handle h;
+	struct nft_handle h = {
+		.family = AF_INET,
+	};
 
 	if (argc > 2) {
 		fprintf(stderr, "Usage: %s [<config_file>]\n", argv[0]);