diff options
author | Florian Westphal <fw@strlen.de> | 2018-06-18 09:18:28 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-06-27 23:44:04 +0200 |
commit | be70918eab26e0c5fe219fefab325056144976d9 (patch) | |
tree | ab256347ade0a13ccc8f91da83282436a18c8957 /iptables/xtables-compat.8 | |
parent | d49ba500efd4dc50eef10324f3c0b4f7ce5d6e3e (diff) |
xtables: rename xt-multi binaries to -nft, -legacy
This adds a clear distinction between old iptables (formerly
xtables-multi, now xtables-legacy-multi) and new iptables
(formerly xtables-compat-multi, now xtables-nft-multi).
Users will get the ip/ip6tables names via symbolic links, having
a distinct name postfix for the legacy/nft variants helps to
make a clear distinction, as iptables-nft will always use
nf_tables and iptables-legacy always uses get/setsockopt wheres
"iptables" could be symlinked to either -nft or -legacy.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'iptables/xtables-compat.8')
-rw-r--r-- | iptables/xtables-compat.8 | 177 |
1 files changed, 0 insertions, 177 deletions
diff --git a/iptables/xtables-compat.8 b/iptables/xtables-compat.8 deleted file mode 100644 index 90f887e1..00000000 --- a/iptables/xtables-compat.8 +++ /dev/null @@ -1,177 +0,0 @@ -.\" -.\" (C) Copyright 2016-2017, Arturo Borrero Gonzalez <arturo@netfilter.org> -.\" -.\" %%%LICENSE_START(GPLv2+_DOC_FULL) -.\" This is free documentation; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" The GNU General Public License's references to "object code" -.\" and "executables" are to be interpreted as the output of any -.\" document formatting or typesetting system, including -.\" intermediate and printed output. -.\" -.\" This manual is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public -.\" License along with this manual; if not, see -.\" <http://www.gnu.org/licenses/>. -.\" %%%LICENSE_END -.\" -.TH XTABLES-COMPAT 8 "Feb 25, 2017" - -.SH NAME -xtables-compat \- compat tools to migrate from iptables to nftables - -.SH DESCRIPTION -\fBxtables-compat\fP is set of tools to help the system administrator migrate the -ruleset from \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and -\fBebtables(8)\fP to \fBnftables(8)\fP. - -The \fBxtables-compat\fP set is composed of several commands: -.IP \[bu] 2 -iptables-compat -.IP \[bu] -iptables-compat-save -.IP \[bu] -iptables-compat-restore -.IP \[bu] -ip6tables-compat -.IP \[bu] -ip6tables-compat-save -.IP \[bu] -ip6tables-compat-restore -.IP \[bu] -arptables-compat -.IP \[bu] -ebtables-compat - -These tools use the libxtables framework extensions and hook to the nf_tables -kernel subsystem using the \fBnft_compat\fP module. - -.SH USAGE -The compat tools set allows you to manage the nf_tables backend using the -native syntax of \fBiptables(8)\fP, \fBip6tables(8)\fP, \fBarptables(8)\fP, and -\fBebtables(8)\fP. - -You should use the compat tools exactly the same way as you would use the -corresponding original tool. - -Adding a rule will result in that rule being added to the nf_tables kernel -subsystem instead. -Listing the ruleset will use the nf_tables backend as well. - -When these tools were designed, the main idea was to replace each legacy binary -with a symlink to the corresponding compat tool, for example: - -.nf - /sbin/iptables --> /usr/sbin/iptables-compat - /sbin/ip6tables --> /usr/sbin/ip6tables-compat - /sbin/arptables --> /usr/sbin/arptables-compat - /sbin/ebtables --> /usr/sbin/ebtables-compat -.fi - -.SH EXAMPLES -One basic example is creating the skeleton ruleset in nf_tables from the -compat tools, in a fresh machine: - -.nf - root@machine:~# iptables-compat -L - [...] - root@machine:~# ip6tables-compat -L - [...] - root@machine:~# arptables-compat -L - [...] - root@machine:~# ebtables-compat -L - [...] - root@machine:~# nft list ruleset - table ip filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } - table ip6 filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } - table bridge filter { - chain INPUT { - type filter hook input priority -200; policy accept; - } - - chain FORWARD { - type filter hook forward priority -200; policy accept; - } - - chain OUTPUT { - type filter hook output priority -200; policy accept; - } - } - table arp filter { - chain INPUT { - type filter hook input priority 0; policy accept; - } - - chain FORWARD { - type filter hook forward priority 0; policy accept; - } - - chain OUTPUT { - type filter hook output priority 0; policy accept; - } - } -.fi - -(please note that in fresh machines, listing the ruleset for the first time -results in all tables an chain being created). - -To migrate your complete filter ruleset, in the case of \fBiptables(8)\fP, -you would use: - -.nf - root@machine:~# iptables-save > myruleset # reads from x_tables - root@machine:~# iptables-compat-restore myruleset # writes to nf_tables -.fi - - -.SH LIMITATIONS -You should use \fBLinux kernel >= 4.2\fP. - -Some (few) extensions may be not supported (or fully-supported) for whatever -reason (for example, they were considered obsolete). - -To get up-to-date information about this, please head to -\fBhttp://wiki.nftables.org/\fP. - -.SH SEE ALSO -\fBnft(8)\fP, \fBxtables-translate(8)\fP - -.SH AUTHORS -The nftables framework is written by the Netfilter project -(https://www.netfilter.org). - -This manual page was written by Arturo Borrero Gonzalez -<arturo@debian.org> for the Debian project, but may be used by others. - -This documentation is free/libre under the terms of the GPLv2+. |