Re: [ANNOUNCE] Release of iptables-1.4.3.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06.04.2009 17:18, Dennis J. wrote:
> What does "deprecation of NAT filtering" entail exactly?

# /sbin/iptables -V
iptables v1.4.2
# /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP

The "nat" table is not intended for filtering, hence the use of DROP is
deprecated and will permanently be disabled in the next iptables
release. Please adjust your scripts.

# /sbin/iptables -L -nvx -t nat
[...]
Chain OUTPUT (policy ACCEPT 45827 packets, 3301166 bytes)
    pkts      bytes target     prot opt in     out     source
    destination
       0        0 DROP       tcp  --  *      *       0.0.0.0/0
  0.0.0.0/0           tcp dpt:10000
#

versus

# /sbin/iptables -V
iptables v1.4.3.1
# /sbin/iptables -t nat -A OUTPUT -p tcp --dport 10000 -j DROP
iptables v1.4.3.1:
The "nat" table is not intended for filtering, the use of DROP is
therefore inhibited.


Try `iptables -h' or 'iptables --help' for more information.
# /sbin/iptables -L -nvx -t nat
[...]
Chain OUTPUT (policy ACCEPT 5115 packets, 415189 bytes)
    pkts      bytes target     prot opt in     out     source
    destination
#

Do not filter in the nat table and you will be fine.

-- 
Eray
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux