Re: Nftables replacement for -j CT --notrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

El 12 de julio de 2019 14:06:01 CEST, Tomas Mudrunka <mudrunka@xxxxxxxxx> escribió:
>Hello,
>currently i am using following iptable rules to prevent forwarded 
>packets from being conntracked, while conntracking matching packets 
>only. Can you please help me to translate it to nftables?
>
>
># Do not use conttrack for forwarded packets:
>*raw
>:PREROUTING ACCEPT [0:0]
>-A PREROUTING -m addrtype --src-type LOCAL -j ACCEPT
>-A PREROUTING -m addrtype --dst-type LOCAL -j ACCEPT
>-A PREROUTING -j CT --notrack
>COMMIT
>
>
>I've used iptables-restore-translate and it gave me following:
>
>
># Translated by iptables-restore-translate v1.8.2 on Fri Jul 12
>14:02:41 
>2019
>add table ip raw
>add chain ip raw PREROUTING { type filter hook prerouting priority
>-300; 
>policy accept; }
>add rule ip raw PREROUTING fib saddr type local counter accept
>add rule ip raw PREROUTING fib daddr type local counter accept
># -t raw -A PREROUTING -j CT --notrack
># Completed on Fri Jul 12 14:02:41 2019
>
>Which suggests that the "-j CT --notrack" line was not translated 
>correctly. What is the correct syntax for this?
>
>Thanks!

Hi,

Please try the following rule

"add rule ip raw PREROUTING notrack"

Does that work for you?

Thanks!
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux