| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This structure is an extensible containers of parameters, so we don't
need to propagate interface updates in every extension file in case
we need to add new parameters in the future.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of the ecn match to nftables.
Examples:
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn not-ect counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn ect1 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn ect0 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn ce counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn != not-ect counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn != ect1 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn != ect0 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn != ce counter
Signed-off-by: Roberto García <rodanber@gmail.com>
Reviewed-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|