MATT-NFT <matt-nft@xxxxxxxxxxxx> wrote:
>
> Many thanks for that!
> I cannot use iptables-translate command on my debian box, can't get it
> installed,
> think this is because i'm using the backport sources.
>
> Anyhow, I'm trying to build my rules using the scripting option by loading
> nft with the -f parameter. I'd tried this:
>
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0; policy accept;
> ....
nat hooks are like iptables -t nat, they only 'see' first packet
of connection.
table ip mangle {
chain prerouting {
type filter hook prerouting priority -150; policy accept;
iifname "eth0" ip saddr 10.0.0.0/8 tcp dport 80 mark set 5 accept
}
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
