On Tue, Jul 12, 2016 at 10:04:17PM +0200, Pablo M. Bermudo Garay wrote:
> From: Pablo Neira <pablo@xxxxxxxxxxxxx>
>
> At compilation time, you have to pass this option.
>
> # ./configure --with-xtables
>
> And libxtables needs to be installed in your system.
>
> This patch allows to list a ruleset containing xt extensions loaded
> through iptables-compat-restore tool.
>
> Example:
>
> $ iptables-save > ruleset
>
> $ cat ruleset
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT
> COMMIT
>
> $ sudo iptables-compat-restore ruleset
>
> $ sudo nft list rulseset
> table ip filter {
> chain INPUT {
> type filter hook input priority 0; policy accept;
> ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject
> }
>
> chain FORWARD {
> type filter hook forward priority 0; policy drop;
> }
>
> chain OUTPUT {
> type filter hook output priority 0; policy accept;
> }
> }
>
> A translation of the extension is shown if this is available. In other
> case, match or target definition is preceded by a hash. For example,
> classify target has not translation:
>
> $ sudo nft list chain mangle POSTROUTING
> table ip mangle {
> chain POSTROUTING {
> type filter hook postrouting priority -150; policy accept;
> ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10
> ^^^
> }
> }
>
> If the whole ruleset is translatable, the users can (re)load it using
> "nft -f" and get nft native support for all their rules.
Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
