| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -t raw -A PREROUTING -j TRACE
nft add rule ip raw PREROUTING counter nftrace set 1
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for dscp to nftables, for both ipv4 and ipv6.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m dscp --dscp 0x32 -j ACCEPT
nft add rule ip filter INPUT ip dscp 0x32 counter accept
$ sudo ip6tables-translate -t filter -A INPUT -m dscp ! --dscp 0x32 -j ACCEPT
nft add rule ip6 filter INPUT ip6 dscp != 0x32 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for multiport to nftables, which it's supported natively.
Examples:
$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept
$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80:88 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport 80-88 counter accept
$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport ! --dports 80:88 -j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport != 80-88 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
The order of mask and id in the translated code is not apt
so fix it.
This patch follows commit 8548dd by Liping Zhang.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for Hop-By-Hop header to nftables. Hbh options are not
supported yet in nft.
$ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter
$ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength != 22 counter
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
The order of mask and mark in the output is wrong. This has been pointed
out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang <liping.zhang@spreadtrum.com>.
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of ipcomp to nftables.
First value of the parameter 'ipcompspi' will be translated to 'cpi'
parameter in nftables. Parameter 'compres' is not supported in nftables.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m ipcomp --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi 18 counter accept
$ sudo iptables-translate -t filter -A INPUT -m ipcomp ! --ipcompspi 0x12 -j ACCEPT
nft add rule ip filter INPUT comp cpi != 18 counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mask and mark's order is reversed, so when we specify the mask, we will
get the wrong translation result:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0x1 == 0xff counter
Apply this patch, translation will become:
# iptables-translate -A INPUT -m mark --mark 0x1/0xff
nft add rule ip filter INPUT mark and 0xff == 0x1 counter
Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NETMAP .print function doesn't insert the ' ' character needed to seperate
earlier output from the target network, i.e. iptables -L prints
something like
2.2.2.5-2.2.2.103.3.3.64/28
instead of
2.2.2.5-2.2.2.10 3.3.3.64/28
Add a ' to:' prefix just like we do for S/DNAT targets.
Closes https://bugzilla.netfilter.org/show_bug.cgi?id=1070.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The default burst value is 5 in iptables limit extension while it is 0 in
nft limit expression, if the burst value is default, it will not be
displayed when we dump the rules. But when we do translation from iptables
rules to nft rules, we should keep the limit burst value unchanged, even if
it is not displayed in iptables rules.
And now, if the limit-burst value in the iptables rule is 5 or 0, they are
all translated to nft rule without burst, this is wrong:
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5
nft add rule ip filter INPUT limit rate 10/second counter
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0
nft add rule ip filter INPUT limit rate 10/second burst 0 packets counter
Apply this patch, translation will become:
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 5
nft add rule ip filter INPUT limit rate 10/second burst 5 packets counter
$ sudo iptables-translate -A INPUT -m limit --limit 10/s --limit-burst 0
nft add rule ip filter INPUT limit rate 10/second counter
Fixes: a8dfbe3a3acb ("extensions: libxt_limit: Add translation to nft")
Cc: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Sync with latest *BSD release: https://gitweb.dragonflybsd.org/dragonfly.git/blob_plain/HEAD:/etc/pf.os
Changelog: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
Cc: Evgeniy Polyakov <johnpol@2ka.mxt.ru>
Cc: Jan Engelhardt <jengelh@medozas.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel <netfilter-devel@vger.kernel.org>
Signed-off-by: Xose Vazquez Perez <xose.vazquez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add missing tests for NFQUEUE.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Iptables building is broken if either libmnl or libnftnl
is not installed on the system.
Configure script actually checks if libmnl and libnftnl are installed,
but doesn't exit if they are not.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Remove the stacking of older version into the newer one by adding the
appropriate code corresponding to each version.
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NFQUEUE had a bug with the ordering of fanout and bypass options which
was arising due to same and odd values for flags and bypass when used
together. Because of this, during bitwise ANDing of flags and
NFQ_FLAG_CPU_FANOUT, the value always evaluated to false (since
NFQ_FLAG_CPU_FANOUT=0x02) and led to skipping of fanout option
whenever it was used before bypass because then flags would be 1.
Before this patch,
$ sudo iptables -A FORWARD -j NFQUEUE -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout --queue-bypass
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass
After this patch,
Chain FORWARD (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:http NFQUEUE balance 0:3 bypass cpu-fanout
Closes bugzilla entry: http://bugzilla.netfilter.org/show_bug.cgi?id=939
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
No need to print "nft" in function do_command_xlate,
if the function is called from iptables-restore-translate command.
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command ./iptables-restore-translate, was printing
table name before the chain name for user added chains.
This is breaking ./nft -f command.
Before fix, output of "./iptables-restore-translate"
add chain ip OUTPUT_direct raw
After fix:
add chain ip raw OUTPUT_direct
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
SNAT section in iptables-extensions(8) already mentions this
but the main section did not.
Reported-by: Lion Yang <lion@aosc.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The iptables command:
-m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE
should translate to:
tcp flags & fin|syn|rst|psh|ack|urg == 0x0
instead of:
tcp flags & fin|syn|rst|psh|ack|urg == none
Reported-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Tested-by: Vadim A. Misbakh-Soloviov <netfilter@mva.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for TEE target to nft. However, there is a
problem with the output when using ip6tables-translate. I couldn't find a fix
for that.
Examples:
$ iptables-translate -t mangle -A PREROUTING \
-j TEE --gateway 192.168.0.2 --oif eth0
nft add rule ip mangle PREROUTING counter dup to 192.168.0.2 device eth0
$ iptables-translate -t mangle -A PREROUTING \
-j TEE --gateway 192.168.0.2
nft add rule ip mangle PREROUTING counter dup to 192.168.0.2
$ ip6tables-translate -t mangle -A PREROUTING \
-j TEE --gateway ab12:00a1:1112:acba::
nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba::
$ ip6tables-translate -t mangle -A PREROUTING \
-j TEE --gateway ab12:00a1:1112:acba:: --oif eth0
nft add rule ip6 mangle PREROUTING counter dup to ab12:a1:1112:acba:: device eth0
Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Initialize comment buffer when allocation the xt translation structure.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the --disable-connlabel option and the appropriate functionality
associated with it.
After this patch, iptables configuration shows up as:
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no
nfsynproxy util support: no
nftables support: yes
connlabel support: yes
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
translation for iptables --flush
Examples: $ sudo
iptables-translate -F INPUT nft flush chain ip filter INPUT
$ sudo iptables-translate -F -t nat
nft flush table ip nat
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the translation
Avoid to print the reject with value in the translation when the value
is the default.
Before this patch:
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject with icmpv6 type port-unreachable
After this patch:
$ sudo ip6tables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip6 filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the translation
Avoid to print the reject with value in the translation when the value is the default.
Before this patch:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject with icmp type port-unreachable
After this patch:
$ sudo iptables-translate -A FORWARD -p TCP --dport 22 -j REJECT
nft add rule ip filter FORWARD tcp dport 22 counter reject
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for icmp to nftables. Not supported icmp codes in nftables
are: network-unreachable, host-unreachable, protocol-unreachable,
port-unreachable, fragmentation-needed, source-route-failed,
network-unknown, host-unknown, network-prohibited, host-prohibited,
TOS-network-unreachable, TOS-host-unreachable, communication-prohibited,
host-precedence-violation, precedence-cutoff, network-redirect,
host-redirect, TOS-network-redirect, TOS-host-redirect,
ttl-zero-during-transit, ttl-zero-during-reassembly, ip-header-bad and required-option-missing.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type echo-reply -j ACCEPT
nft add rule ip filter INPUT icmp type echo-reply counter accept
$ sudo iptables-translate -t filter -A INPUT -m icmp --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type destination-unreachable counter accept
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 3 -j ACCEPT
nft add rule ip filter INPUT icmp type != destination-unreachable counter accept
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the log level when default is used
Before:
$ sudo iptables-translate -I INPUT -j LOG
nft add rule filter INPUT log level warning
After:
$ sudo iptables-translate -I INPUT -j LOG
nft add rule filter INPUT counter log
Signed-off-by: Roberto García <rodanber@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Avoid to print the log level in the translation when the level is the
default value.
Example:
$ sudo iptables-translate -t filter -A INPUT -m icmp ! --icmp-type 10 -j LOG
nft add rule ip filter INPUT icmp type != router-solicitation counter log
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
|
| |
|
|
|
|
|
| |
Reported by Debian lintian tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Reported by Debian lintian tool.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
The multiport match needs it, this basically leaves ->xlate() indirection
with almost the same interface as ->print().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for icmpv6 to nftables.
Not supported icmp codes in nftables are: no-route,
communication-prohibited, beyond-scope, address-unreachable,
port-unreachable, failed-policy, reject-route, ttl-zero-during-transit,
ttl-zero-during-reassembly, bad-header, unknown-header-type and
unknown-option.
Examples:
$ ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type 1 -j LOG
nft add rule ip6 filter INPUT icmpv6 type destination-unreachable counter log level warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 --icmpv6-type neighbour-advertisement -j LOG
nft add rule ip6 filter INPUT icmpv6 type nd-neighbor-advert counter log level warn
$ ip6tables-translate -t filter -A INPUT -m icmp6 ! --icmpv6-type packet-too-big -j LOG
nft add rule ip6 filter INPUT icmpv6 type != packet-too-big counter log level warn
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for rt for options --rt-type, --rt-segsleft and --rt-len.
Examples:
$ sudo ip6tables-translate -A INPUT -m rt --rt-type 0 -j DROP
nft add rule ip6 filter INPUT rt type 0 counter drop
$ sudo ip6tables-translate -A INPUT -m rt ! --rt-len 22 -j DROP
nft add rule ip6 filter INPUT rt hdrlength != 22 counter drop
$ sudo ip6tables-translate -A INPUT -m rt --rt-segsleft 26 -j ACCEPT
nft add rule ip6 filter INPUT rt seg-left 26 counter accept
The xlate function returns 0 for other options.
Signed-off-by: Janani Ravichandran <janani.rvchndrn@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for dccp to nftables.
Full translation of this match awaits the support for --dccp-option.
Examples:
$ sudo iptables-translate -A INPUT -p dccp -m dccp --sport 100
nft add rule ip filter INPUT dccp sport 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100:200
nft add rule ip filter INPUT dccp dport 100-200 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp ! --dport 100
nft add rule ip filter INPUT dccp dport != 100 counter
$ sudo iptables-translate -A INPUT -p dccp -m dccp --dport 100 --dccp-types REQUEST,RESPONSE,DATA,ACK,DATAACK,CLOSEREQ,CLOSE,SYNC,SYNCACK
nft add rule ip filter INPUT dccp dport 100 dccp type {request, response, data, ack, dataack, closereq, close, sync, syncack} counter
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for sctp to nftables.
Full translation of this match awaits the support for --chunk-types
option.
Examples:
$ sudo iptables-translate -A INPUT -p sctp --dport 80 -j DROP
nft add rule ip filter INPUT sctp dport 80 counter drop
$ sudo iptables-translate -A INPUT -p sctp ! --sport 80:100 -j ACCEPT
nft add rule ip filter INPUT sctp sport != 80-100 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for module owner to nftables.
Full translation of this match awaits the support for --socket-exists
option.
Examples:
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid 0 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner 0-10 -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skgid 0-10 counter accept
$ sudo iptables-translate -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner shivani -j ACCEPT
nft add rule ip nat OUTPUT tcp dport 80 skuid != 1000 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for mobility header to nftables.
Examples:
$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1 counter accept
$ sudo ip6tables-translate -A INPUT -p mh --mh-type 1:3 -j ACCEPT
nft add rule ip6 filter INPUT meta l4proto mobility-header mh type 1-3 counter accept
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Use meta l4proto in place of nexthdr for ipv6 protocols as it is not
necessary that all protocols be next header.
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for masquerade to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip6 nat POSTROUTING counter masquerade
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10
$ sudo ip6tables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip6 nat POSTROUTING ip6 nexthdr tcp counter masquerade to :10-20 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for masquerade to nftables.
Examples:
$ sudo iptables-translate -t nat -A POSTROUTING -j MASQUERADE
nft add rule ip nat POSTROUTING counter masquerade
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10
$ sudo iptables-translate -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 10-20 --random
nft add rule ip nat POSTROUTING ip protocol tcp counter masquerade to :10-20 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
any error
Output of command "./iptables-translate junk" is Bad argument
`junk' Try `iptables-translate -h' or 'iptables-translate --help' for more
information. nft
Output of command "./iptables-translate -B" is
iptables-translate v1.6.0: unknown option "-B"
Try `iptables-translate -h' or 'iptables-translate --help' for more
information.
nft
nft should have not been printed in both the cases. Moving the printf
call after the do_parse function call
Signed-off-by: Guruswamy Basavaiah <guru2018@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Add missing constants for libxt_TCPOPTSTRIP.c, in case they are not defined.
(Original patch from VoidLinux)
Signed-off-by: Loganaden Velvindron <logan@hackers.mu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for match comment to nftables.
This patch also adds the relevant infrastructure for carrying out
the translation.
Example:
$ sudo iptables-translate -A INPUT -s 192.168.0.0 -m comment --comment "A privatized IP block"
nft add rule ip filter INPUT ip saddr 192.168.0.0 counter comment \"A privatized IP block\"
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for NF queue to nftables.
Examples:
$ sudo iptables-translate -t nat -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 30
nft add rule ip nat PREROUTING tcp dport 80 counter queue num 30
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-num 0 --queue-bypass -p TCP --sport 80
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0 bypass
$ sudo iptables-translate -A FORWARD -j NFQUEUE --queue-bypass -p TCP --sport 80 --queue-balance 0:3 --queue-cpu-fanout
nft add rule ip filter FORWARD tcp sport 80 counter queue num 0-3 bypass,fanout
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace the flags with the correct ipv6 flags.
Details:
Ana found out the bug and submitted the patch, Shivani applied it
on the latest tree and compile tested it.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This new function allows us to add comments to the nft rule. This
can be used to provide a translation for the comment match.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Use a more generic name for this object to prepare the introduction of
other translation specific fields.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release data area that is allocated by xt_buf_alloc().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for REDIRECT target to nftables.
Examples:
$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080
$ sudo ip6tables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip6 nat prerouting tcp dport 80 counter redirect to 8080 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation for target REDIRECT to nftables.
Examples:
$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080
$ sudo iptables-translate -t nat -A prerouting -p tcp --dport 80 -j REDIRECT --to-ports 8080 --random
nft add rule ip nat prerouting tcp dport 80 counter redirect to 8080 random
Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
