On 9 March 2016 at 08:05, FaTe <gokuvsvegita@xxxxxxxxx> wrote:
> Hello Pablo,
>
> I would require some guidance regarding the libxt_multiport translation in nft.
>
> If the translation is over ip4 family :
> $ iptables-translate -A INPUT -p tcp -m multiport --ports 3:4 -j ACCEPT
> nft add rule ip filter INPUT ip protocol tcp dport { 3-4 } tcp sport { 3-4 } counter accept
> ^^^^^^^^^^^
> this causes problem.
> Similarly for ipv6 :
> $ ip6tables-translate -A input -p tcp -m multiport --dports 1024:2048,2049:3333 -j ACCEPT
> nft add rule ip6 filter input meta l4proto tcp dport { 1024-2048,2049-3333 } counter accept
> ^^^^^^^^^^^^
> this is causing problem.
>
> both the strings "ip protocol" and "meta l4proto" is not introduced by libxt_multiport.
> And in the absence of both , the command works.
>
> For example ,
> $ nft add rule ip filter INPUT tcp dport { 3-4 } tcp sport { 3-4 } counter accept
>
> $ nft add rule ip6 filter input tcp dport { 1024-2048,2049-3333 } counter accept
>
> Any comment regarding this behaviour ?
They are different statements, rules should be something like:
* meta l4proto tcp tcp dport XX
* ip protocol tcp tcp dport XX
However, the two statements are redundants... the second implies the first.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
