On 06.04.2009 17:18, Dennis J. wrote:
> What does "deprecation of NAT filtering" entail exactly?
# /sbin/iptables -V
iptables v1.4.2
# /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP
The "nat" table is not intended for filtering, hence the use of DROP is
deprecated and will permanently be disabled in the next iptables
release. Please adjust your scripts.
# /sbin/iptables -L -nvx -t nat
[...]
Chain OUTPUT (policy ACCEPT 45827 packets, 3301166 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10000
#
versus
# /sbin/iptables -V
iptables v1.4.3.1
# /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP
iptables v1.4.3.1:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.
Try `iptables -h' or 'iptables --help' for more information.
# /sbin/iptables -L -nvx -t nat
[...]
Chain OUTPUT (policy ACCEPT 5115 packets, 415189 bytes)
pkts bytes target prot opt in out source
destination
#
Do not filter in the nat table and you will be fine.
--
Eray
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
