On Sat, Jan 20, 2018 at 10:21:44AM +0100, Pablo Neira Ayuso wrote: > On Sat, Jan 20, 2018 at 05:11:18PM +1100, Duncan Roe wrote: > > On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > > > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > > > On Wed, Jan 17, 2018 at 07:45:54AM +1100, Duncan Roe wrote: > > > > > > > On Tue, Jan 16, 2018 at 01:41:43PM +0100, Pablo Neira Ayuso wrote: > > > > > > > > On Tue, Jan 16, 2018 at 02:15:37AM +0100, Pablo Neira Ayuso wrote: > > > > > > > > > On Mon, Jan 15, 2018 at 12:45:32PM +1100, Duncan Roe WROTE: > > > > > > > > > [...] > > > > > > Another alternative is: > > > > > > # iptables-restore-translate -f your_iptables_ruleset > > > > > > Hm, this is not documented in the wiki for some reason. > > > > Yes it is - section "Moving from iptables to nftables" under "Basic operation". > > > > > Although I now use nft (script attached), I just realised that since libvirt > > sets up iptables rules, I could demo iptables-restore-translate working on them. > > > > > iptables-save > save.txt > > > iptables-restore-translate -f save.txt > > all looked good *except* > > > # -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > Just for fun, I thought I'd see what iptables-compat did with that: > > > iptables-compat -t mangle -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill > > There was no error message and iptables-compat returned 0. But now: > > > iptables-compat -t mangle -L > > > ERROR: You're using nft features that cannot be mapped to iptables, please keep using nft. > > and: > > > nft list ruleset > > > Segmentation fault (core dumped) > > This patch broke nft list ruleset: > > commit bce55916b51ec1a4c23322781e3b0c698ecc9561 > Author: Varsha Rao <rvarsha016@xxxxxxxxx> > Date: Wed Aug 16 19:48:13 2017 +0530 > > src: Remove xt_stmt_() functions. I have revert it and push it out. BTW, not related to this problem, the -j CHECKSUM --checksum-fill is something that libvirt generates or you using it there? During the last Netfilter workshop, we have had some discussions on this features, and people felt this is something actually not useful these days, so we kept it back in nftables. If there's a usecase for this, we can of course reconsider. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
