using iptables matches and targets with nft

using iptables matches and targets with nft

[Stefan Berghofer]

Hi all,

recent versions of the Linux kernel and the libnftnl library define nft expression types
with the names "match" and "target". However, I could not find any reference to these
expression types in the code of the nft user space utility, but only in the code for iptables.
Is it possible to access iptables matches and targets from rules defined with nft, or is
this not intended?

Greetings,
Stefan

Re: using iptables matches and targets with nft

[Pablo Neira Ayuso]

On Thu, Dec 10, 2015 at 01:16:18PM +0100, Stefan Berghofer wrote:
> Hi all,
> 
> recent versions of the Linux kernel and the libnftnl library define nft expression types
> with the names "match" and "target". However, I could not find any reference to these
> expression types in the code of the nft user space utility, but only in the code for iptables.
> Is it possible to access iptables matches and targets from rules defined with nft, or is
> this not intended?

iptables-compat uses this, this will be included in iptables 1.6.0
(just resolved a problem with static compilation, so we can release
this asap).

There is also a patch for nft (not in master yet) that takes what was
added via iptables-compat and provides a translation to the native
extensions (Shivani is working on the translation part at this
moment).

The idea is to provide an easy way to migrate from your iptables
ruleset to nft.