On Sat, Dec 19, 2015 at 11:41 PM, Shivani Bhardwaj
<shivanib134@xxxxxxxxx> wrote:
> On Sat, Dec 19, 2015 at 11:17 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>> On Sat, Dec 19, 2015 at 07:56:56PM +0530, Shivani Bhardwaj wrote:
>>> On Sat, Dec 19, 2015 at 3:10 AM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>>> > But, anyway after applying you patch I can see:
>>> >
>>> > # iptables-translate -I INPUT -m mark --mark 10
>>> > nft insert rule ip filter INPUT ct mark & xa counter
>>> >
>>> > So this kind of work already.
>>> >
>>>
>>> Hi,
>>>
>>> I just tried adding this rule to nft. It does not work. It only works
>>> for integer values of mark. nft shows syntax error for ampersand and
>>> hex values.
>>>
>>> Isn't there something wrong? Please let me know.
>>
>> The line above should be:
>>
>> nft insert rule ip filter INPUT ct mark & 0xa counter
>>
>
Ampersand again causes syntax error. However, it works fine as below:
nft insert rule ip filter INPUT ct mark 0xa counter
Please tell me if this is wrong.
> One more question. Why ct mark when we have no conntrack information
> in this module? Shouldn't ct mark be a complete module of conntrack?
>
>> You have to add a simple table and chain configuration to test it:
>>
>> nft add table filter
>> nft add chain filter INPUT { type filter hook input priority 0\; }
>>
>> The two lines above create a filter table, then it adds an INPUT chain
>> to that table.
>>
>> The correct translation for:
>>
>> iptables-translate -I INPUT -m mark --mark 10
>>
>> is:
>>
>> nft insert rule ip filter INPUT ct mark 0xa counter
>>
>> Then for:
>>
>> iptables-translate -I INPUT -m mark --mark 10/10
>>
>> is:
>>
>> nft insert rule ip filter INPUT ct mark and 0xa == 0xa counter
>>
>> You have to take the time to find the right translation too and make
>> sure they work.
>>
>> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
