On 07/01/2019 17:16, Florian Westphal wrote:
> Older version. 1.8.2 one translates it (minus -m set part).
> But I agree, its better to do it by hand as that gives more
> opportunities to use nft set/map infra.
>
I have:
# iptables-translate -V
iptables-translate v1.8.2 (nf_tables)
I also tested the kernel patch, and it looks like the vmap
rules work fine now:
chain peerblock {
ip daddr @whitelist counter packets 1 bytes 82 accept
ip daddr @bt_webexploit counter packets 0 bytes 0 drop
ip daddr @bt_spyware counter packets 0 bytes 0 drop
ip daddr @bt_level1 tcp dport vmap { 80 : accept, 443 : accept } counter packets 28 bytes 1680 drop
ip daddr @bt_level1 udp dport vmap { 80 : accept, 443 : accept } counter packets 0 bytes 0 drop
ip daddr @bt_level1 tcp dport != { 80, 443 } counter packets 0 bytes 0 drop
ip daddr @bt_level1 udp dport != { 80, 443 } counter packets 0 bytes 0 drop
}
Attachment:
signature.asc
Description: OpenPGP digital signature
