Many thanks for that!
I cannot use iptables-translate command on my debian box, can't get it
installed,
think this is because i'm using the backport sources.
Anyhow, I'm trying to build my rules using the scripting option by
loading nft with the -f parameter. I'd tried this:
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
....
ip mangle ip addr 10.0.x.y tcp dport 80 counter meta mark set 5
counter;
}
}
But that gives me an error:
Error: syntax error, unexpected string
ip mangle ip addr 10.0.x.y tcp dport 80 counter meta mark set 5
^^^^^^
Any idea howto address this?
# nft -v
nftables v0.8.3 (Joe Btfsplk)
Many thanks
Matt
On 2018-05-17 21:14, Florian Westphal wrote:
MATT-NFT <matt-nft@xxxxxxxxxxxx> wrote:
i'm reading all of the nft wiki but it's still not clear to me howto
configure the nft mangle options.
With iptables i'm successfull using these ip commands
# ip rule add fwmark 5 table 50
# ip route add default via 10.0.x.y table 50
And then create the iptables mangle rule:
# iptables -A PREROUTING -t mangle -i ethX -s 192.168.x.y -p TCP
--dport 80
-j MARK --set-mark 5
How would i do this with nft?
You can use iptables-translate:
# iptables-translate -A PREROUTING -t mangle -i ethX -s 192.168.0.1 -p
TCP --dport 80 -j MARK --set-mark 5
nft add rule ip mangle PREROUTING iifname "ethX" ip saddr 192.168.0.1
tcp dport 80 counter meta mark set 5
You can adapt that to your needs, e.g. adjust saddr, change iifname,
omit 'counter', etc.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
