On Sat, Jan 07, 2017 at 10:26:46PM +0800, Liping Zhang wrote: > From: Liping Zhang <zlpnobody@xxxxxxxxx> > > For example: > # iptables-translate -t mangle -A PREROUTING -m rpfilter > nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter > > # iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \ > --loose > nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter > > # ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \ > --invert > nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter > > Finally, when the "--accept-local" option is specified, we can combine > with "fib saddr type" to simulate it. > > But when it is used like this: "-m rpfilter --accept-local", it means "||" > relationship, so we cannot translate it to one single nft rule, > translation is not supported yet: > # iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local > nft # -t mangle -A PREROUTING -m rpfilter --accept-local > > When "--accpet-local" is combined with "--invert", it means "&&" > relationship, so translation can be: > # iptables-translate -t mangle -A PREROUTING -m rpfilter \ > --accept-local --invert > nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \ > . iif oif 0 counter Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
