summaryrefslogtreecommitdiffstats
path: root/include/xt.h
Commit message (Collapse)AuthorAgeFilesLines
* Revert ("src: Remove xt_stmt_() functions").Pablo Neira Ayuso2018-01-201-0/+7
| | | | | | | | | Revert commit bce55916b51ec1a4c23322781e3b0c698ecc9561, we need this code in place to properly make translation when iptables-compat loads rules. Reported-by: Duncan Roe <duncan_roe@optusnet.com.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: Remove xt_stmt_() functions.Varsha Rao2017-08-171-7/+0
| | | | | | | | | Remove functions xt_stmt_alloc(), xt_stmt_release(), xt_stmt_xlate(), xt_stmt_print(), xt_stmt_destroy() as they are not used. Similarly, remove structure xt_stmt_ops. Signed-off-by: Varsha Rao <rvarsha016@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add xt compat supportPablo Neira Ayuso2016-07-131-0/+39
At compilation time, you have to pass this option. # ./configure --with-xtables And libxtables needs to be installed in your system. This patch allows to list a ruleset containing xt extensions loaded through iptables-compat-restore tool. Example: $ iptables-save > ruleset $ cat ruleset *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m multiport --dports 80,81 -j REJECT COMMIT $ sudo iptables-compat-restore ruleset $ sudo nft list rulseset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; ip protocol tcp tcp dport { 80,81} counter packets 0 bytes 0 reject } chain FORWARD { type filter hook forward priority 0; policy drop; } chain OUTPUT { type filter hook output priority 0; policy accept; } } A translation of the extension is shown if this is available. In other case, match or target definition is preceded by a hash. For example, classify target has not translation: $ sudo nft list chain mangle POSTROUTING table ip mangle { chain POSTROUTING { type filter hook postrouting priority -150; policy accept; ip protocol tcp tcp dport 80 counter packets 0 bytes 0 # CLASSIFY set 20:10 ^^^ } } If the whole ruleset is translatable, the users can (re)load it using "nft -f" and get nft native support for all their rules. This patch is joint work by the authors listed below. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
generated by cgit v1.2.3 (git 2.25.0) at 2024-11-16 17:04:52 +0000