On Wed, Jul 08, 2020 at 12:16:18PM +0200, Reindl Harald wrote: > > > Am 08.07.20 um 09:51 schrieb Trent W. Buck: > > Reindl Harald <h.reindl@xxxxxxxxxxxxx> writes: > > > >> Am 03.07.20 um 09:04 schrieb G.W. Haywood: > >>> On Fri, 3 Jul 2020, Timo Sigurdsson wrote: > >>> > >>>> ... I use ipsets for blacklisting. > >>>> I fetch blacklists from various sources > >>>> ... This approach has worked for me for quite some time. > >>>> ... some of my blacklists may contain the same addresses or ranges, > >>>> I use ipsets' -exist switch when loading > >>>> ... I don't think that the use case is that extraordinary ... > >>> > >>> +6 > >>> > >>> FWIW I'll be following this thread very closely. > >> > >> it turned out at least with recent kernel and recent userland > >> "iptables-nft" can fully replace "iptables" and continue to use "ipset" > >> unchanged > > > > I tested this and you're right - it is working. This surprised me! > > > > I saw these "commented out" rules in iptables-translate, where > > I (wrongly) assumed that meant the rule was completely inactive. > > "iptables-translate" comments out much more than just upset related > stuff, in my case xt_recent and connlimit rules are also just comments If you could post what kind of rule examples are commented out, it would help us keep this in the radar. It is not too hard to add new translations, there is a _xlate() function under iptables/extensions/libxt_*.c that provides the translation. The important thing is to validate that the translation is semantically equivalent, or if not possible, provide a close translation. Thanks.
