Re: nft equivalent of iptables command

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: "Serguei Bezverkhi (sbezverk)" <sbezverk@cisco.com>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: nft equivalent of iptables command
Date: Thu, 22 Aug 2019 16:16:45 +0200	[thread overview]
Message-ID: <20190822141645.GH20113@breakpoint.cc> (raw)
In-Reply-To: <69AAC254-AF78-4918-82B5-14B3EDB10EDB@cisco.com>

Serguei Bezverkhi (sbezverk) <sbezverk@cisco.com> wrote:
> Hello,
> 
> I am trying to find an equivalent nft command for the following iptables command.  Specifically "physdev" and "addrtype", I could not find so far, some help would be very appreciated.

> -m physdev ! --physdev-is-in            

This has no equivalent.  The rule above matches when 'call-iptables' sysctl
is enabled and the packet did not enter via a bridge interface.
So, its only false when it did enter via a bridge interface.

In case the sysctl is off, the rule always matches and can be omitted.

nftables currently assumes that call-iptables is off, and that
bridges have their own filter rules in the netdev and/or
bridge families.

inet/ip/ip6 are assumed to only see packets that are routed by the ip
stack.

> -m addrtype ! --src-type LOCAL 

fib saddr type != local

next prev parent reply	other threads:[~2019-08-22 14:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-22 13:57 nft equivalent of iptables command Serguei Bezverkhi (sbezverk)
2019-08-22 14:16 ` Florian Westphal [this message]
2019-08-22 14:49   ` Dan Williams
2019-08-22 15:04     ` Serguei Bezverkhi (sbezverk)
2019-08-22 15:16       ` Florian Westphal
2019-08-22 15:24         ` Serguei Bezverkhi (sbezverk)
2019-08-22 15:04   ` Serguei Bezverkhi (sbezverk)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190822141645.GH20113@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=sbezverk@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.