From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Pablo M. Bermudo Garay" <pablombg@gmail.com>
Cc: netfilter-devel@vger.kernel.org,
Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Subject: Re: [PATCH nft v5 3/3] src: add xt compat support
Date: Wed, 13 Jul 2016 11:53:27 +0200 [thread overview]
Message-ID: <20160713095327.GB14902@salvia> (raw)
In-Reply-To: <20160712200417.21890-3-pablombg@gmail.com>
On Tue, Jul 12, 2016 at 10:04:17PM +0200, Pablo M. Bermudo Garay wrote:
> From: Pablo Neira <pablo@netfilter.org>
>
> At compilation time, you have to pass this option.
>
> # ./configure --with-xtables
>
> And libxtables needs to be installed in your system.
>
> This patch allows to list a ruleset containing xt extensions loaded
> through iptables-compat-restore tool.
>
> Example:
>
> $ iptables-save > ruleset
>
> $ cat ruleset
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
> COMMIT
>
> $ sudo iptables-compat-restore ruleset
>
> $ sudo nft list rulseset
> table ip filter {
> chain INPUT {
> type filter hook input priority 0; policy accept;
> ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
> }
>
> chain FORWARD {
> type filter hook forward priority 0; policy drop;
> }
>
> chain OUTPUT {
> type filter hook output priority 0; policy accept;
> }
> }
>
> A translation of the extension is shown if this is available. In other
> case, match or target definition is preceded by a hash. For example,
> classify target has not translation:
>
> $ sudo nft list chain mangle POSTROUTING
> table ip mangle {
> chain POSTROUTING {
> type filter hook postrouting priority -150; policy accept;
> ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
> ^^^
> }
> }
>
> If the whole ruleset is translatable, the users can (re)load it using
> "nft -f" and get nft native support for all their rules.
Applied, thanks!
next prev parent reply other threads:[~2016-07-13 9:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-12 20:04 [PATCH nft v5 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h Pablo M. Bermudo Garay
2016-07-12 20:04 ` [PATCH nft v5 2/3] src: expose delinearize/linearize structures and stmt_error() Pablo M. Bermudo Garay
2016-07-13 9:53 ` Pablo Neira Ayuso
2016-07-12 20:04 ` [PATCH nft v5 3/3] src: add xt compat support Pablo M. Bermudo Garay
2016-07-13 9:53 ` Pablo Neira Ayuso [this message]
2016-07-13 10:03 ` Arturo Borrero Gonzalez
2016-07-13 9:52 ` [PATCH nft v5 1/3] include: cache ip_tables.h, ip6_tables.h, arp_tables.h and ebtables.h Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160713095327.GB14902@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablombg@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.