diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-03 01:58:43 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-06-07 21:35:27 +0200 |
| commit | c8145139cb230ff22837795c97f2e264c574c64c (patch) | |
| tree | af4a98ee8f9ea7ad3702c572751af920ba515c04 /extensions/libxt_conntrack.txlate | |
| parent | 1c934617f661dc0bc471c0f0b4ace254c55182df (diff) | |
extensions: libxt_conntrack: simplify translation using negation
Available since nftables 0.9.9. For example:
# iptables-translate -I INPUT -m state ! --state NEW,INVALID
nft insert rule ip filter INPUT ct state ! invalid,new counter
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libxt_conntrack.txlate')
| -rw-r--r-- | extensions/libxt_conntrack.txlate | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/extensions/libxt_conntrack.txlate b/extensions/libxt_conntrack.txlate index 8cc7c504..45fba984 100644 --- a/extensions/libxt_conntrack.txlate +++ b/extensions/libxt_conntrack.txlate @@ -2,10 +2,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCE nft add rule ip filter INPUT ct state new,related counter accept ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED -j ACCEPT -nft add rule ip6 filter INPUT ct state & (new|related) == 0 counter accept +nft add rule ip6 filter INPUT ct state ! new,related counter accept ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW -j ACCEPT -nft add rule ip6 filter INPUT ct state & new == 0 counter accept +nft add rule ip6 filter INPUT ct state ! new counter accept iptables-translate -t filter -A INPUT -m conntrack --ctproto UDP -j ACCEPT nft add rule ip filter INPUT ct original protocol 17 counter accept @@ -35,10 +35,10 @@ iptables-translate -t filter -A INPUT -m conntrack --ctstatus EXPECTED -j ACCEPT nft add rule ip filter INPUT ct status expected counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED -j ACCEPT -nft add rule ip filter INPUT ct status & confirmed == 0 counter accept +nft add rule ip filter INPUT ct status ! confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack ! --ctstatus CONFIRMED,ASSURED -j ACCEPT -nft add rule ip filter INPUT ct status & (assured|confirmed) == 0 counter accept +nft add rule ip filter INPUT ct status ! assured,confirmed counter accept iptables-translate -t filter -A INPUT -m conntrack --ctstatus CONFIRMED,ASSURED -j ACCEPT nft add rule ip filter INPUT ct status assured,confirmed counter accept |