* nftable rule for VRRP traffic
@ 2020-10-28 15:34 Wang, Lihua
2020-10-28 22:22 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Wang, Lihua @ 2020-10-28 15:34 UTC (permalink / raw)
To: netfilter@vger.kernel.org
Dear NFTables community,
We are trying to migrate from firewalld to nftables in our planned upgrade from CentOS 7 to 8.
We run keepalived on some of our servers and we need to migrate the firewall rule that allows vrrp in and out traffic to nftables format. I googled the topic, searched nftables documentations, and tested a number of possibilities but could not find the solution.
the firewalld rules for vrrp is:
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
which are similar to ipables commands:
# iptables -I INPUT -i ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
# iptables -I OUTPUT -o ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
Could you please kindly advise what is the equivalent in nftable command or rule formate?
Thank you very much.
Regards,
Lihua Wang
Linux admin @ CUNY Graduate Center
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: nftable rule for VRRP traffic
2020-10-28 15:34 nftable rule for VRRP traffic Wang, Lihua
@ 2020-10-28 22:22 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-10-28 22:22 UTC (permalink / raw)
To: Wang, Lihua; +Cc: netfilter@vger.kernel.org
Hi,
On Wed, Oct 28, 2020 at 03:34:34PM +0000, Wang, Lihua wrote:
> Dear NFTables community,
>
> We are trying to migrate from firewalld to nftables in our planned upgrade from CentOS 7 to 8.
>
> We run keepalived on some of our servers and we need to migrate the firewall rule that allows vrrp in and out traffic to nftables format. I googled the topic, searched nftables documentations, and tested a number of possibilities but could not find the solution.
>
> the firewalld rules for vrrp is:
>
> firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
> firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface ens192 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
>
> which are similar to ipables commands:
>
> # iptables -I INPUT -i ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
> # iptables -I OUTPUT -o ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
>
> Could you please kindly advise what is the equivalent in nftable command or rule formate?
Use iptables-translate to request a rule translation:
# iptables-translate -I INPUT -i ens192 -d 224.0.0.0/8 -p vrrp -j ACCEPT
nft insert rule ip filter INPUT iifname "ens192" ip protocol vrrp ip daddr 224.0.0.0/8 counter accept
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-28 22:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-28 15:34 nftable rule for VRRP traffic Wang, Lihua
2020-10-28 22:22 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox