path: root/src/ipset-translate.8
diff options
authorPablo Neira Ayuso <>2021-06-25 22:30:42 +0200
committerJozsef Kadlecsik <>2021-06-26 23:07:35 +0200
commit325af556cd3a6d1636c0cd355b494c87f58397e0 (patch)
tree1c433f1f08d467074908e8edf132d2a940a66bef /src/ipset-translate.8
parentff7f000ef2dbe81444a4e204dbab9a2177c35e21 (diff)
add ipset to nftables translation infrastructure
This patch provides the ipset-translate utility which allows you to translate your existing ipset file to nftables. The ipset-translate utility is actually a symlink to ipset, which checks for 'argv[0] == ipset-translate' to exercise the translation path. You can translate your ipset file through: ipset-translate restore < sets.ipt This patch reuses the existing parser and API to represent the sets and the elements. There is a new ipset_xlate_set dummy object that allows to store a created set to fetch the type without interactions with the kernel. Signed-off-by: Pablo Neira Ayuso <> Signed-off-by: Jozsef Kadlecsik <>
Diffstat (limited to 'src/ipset-translate.8')
1 files changed, 91 insertions, 0 deletions
diff --git a/src/ipset-translate.8 b/src/ipset-translate.8
new file mode 100644
index 0000000..bb4e737
--- /dev/null
+++ b/src/ipset-translate.8
@@ -0,0 +1,91 @@
+.\" (C) Copyright 2021, Pablo Neira Ayuso <>
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" GNU General Public License for more details.
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, see
+.\" <>.
+.TH IPSET-TRANSLATE 8 "May 31, 2021"
+ipset-translate \(em translation tool to migrate from ipset to nftables
+This tool allows system administrators to translate a given IP sets file
+to \fBnftables(8)\fP.
+The only available command is:
+.IP \[bu] 2
+ipset-translate restores < file.ipt
+The \fBipset-translate\fP tool reads an IP sets file in the syntax produced by
+\fBipset(8)\fP save. No set modifications occur, this tool is a text converter.
+Basic operation examples.
+Single command translation, assuming the original file:
+create test1 hash:ip,port family inet counters timeout 300 hashsize 1024 maxelem 65536 bucketsize 12 initval 0xb5c4be5d
+add test1,udp:20
+add test1,21
+create test2 hash:ip,port family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xb5c4be5d
+which results in the following translation:
+root@machine:~# ipset-translate restore < file.ipt
+add set inet global test1 { type ipv4_addr . inet_proto . inet_service; counter; timeout 300s; size 65536; }
+add element inet global test1 { . udp . 20 }
+add element inet global test1 { . tcp . 21 }
+add set inet global test2 { type ipv4_addr . inet_proto . inet_service; size 65536; }
+A few IP sets options may be not supported because they are not yet implemented
+in \fBnftables(8)\fP.
+Contrary to \fBnftables(8)\fP, IP sets are not attached to a specific table.
+The translation utility assumes that sets are created in a table whose name
+is \fBglobal\fP and family is \fBinet\fP. You might want to update the
+resulting translation to use a different table name and family for your sets.
+To get up-to-date information about this, please head to
+\fBnft(8)\fP, \fBipset(8)\fP
+The nftables framework has been written by the Netfilter Project
+This manual page was written by Pablo Neira Ayuso
+This documentation is free/libre under the terms of the GPLv2+.
+This tool was funded through the NGI0 PET Fund, a fund established by NLnet with
+financial support from the European Commission's Next Generation Internet
+programme, under the aegis of DG Communications Networks, Content and Technology
+under grant agreement No 825310.