diff options
| author | Liping Zhang <zlpnobody@gmail.com> | 2017-01-07 22:26:46 +0800 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2017-01-16 14:13:58 +0100 |
| commit | 1123e6a069123756c6c73d5557d06bc5fc31497e (patch) | |
| tree | 90af06cfb67d784bed27f194606d04767b9b08d0 /iptables/ip6tables-save.c | |
| parent | aa98227ce600cf52dbcf41e26002db1f5395a871 (diff) | |
extensions: libxt_rpfilter: add translation to nft
For example:
# iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
# iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
# ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/ip6tables-save.c')
0 files changed, 0 insertions, 0 deletions