All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Wang, Lihua" <lwang2@gc.cuny.edu>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: nftable rule for VRRP traffic
Date: Wed, 28 Oct 2020 23:22:19 +0100	[thread overview]
Message-ID: <20201028222219.GA25697@salvia> (raw)
In-Reply-To: <9e00cb7bb2e944c981e1a9a43278aa2c@wd5b.gc.cuny.edu>

Hi,

On Wed, Oct 28, 2020 at 03:34:34PM +0000, Wang, Lihua wrote:
> Dear NFTables community,
> 
> We are trying to migrate from firewalld to nftables in our planned upgrade from CentOS 7 to 8. 
> 
> We run keepalived on some of our servers and we need to migrate the firewall rule that allows vrrp in and out traffic to nftables format. I googled the topic, searched nftables documentations, and tested a number of possibilities but could not find the solution.
> 
> the firewalld rules for vrrp is: 
> 
> firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
> firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
> 
> which are similar to ipables commands:
> 
> # iptables -I INPUT -i ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
> # iptables -I OUTPUT -o ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
> 
> Could you please kindly advise what is the equivalent in nftable command or rule formate?

Use iptables-translate to request a rule translation:

# iptables-translate -I INPUT -i ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
nft insert rule ip filter INPUT iifname "ens192" ip protocol vrrp ip daddr 224.0.0.0/8 counter accept

      reply	other threads:[~2020-10-28 22:22 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-28 15:34 nftable rule for VRRP traffic Wang, Lihua
2020-10-28 22:22 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201028222219.GA25697@salvia \
    --to=pablo@netfilter.org \
    --cc=lwang2@gc.cuny.edu \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.