diff options
author | Phil Sutter <phil@nwl.cc> | 2023-05-05 20:04:41 +0200 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2023-08-11 15:56:38 +0200 |
commit | 11c464ed015b52a28d90c63c69e10e5f7d4053d4 (patch) | |
tree | 5c2d3bd5a627720284e609dd966ff94246847ac8 /iptables/iptables-restore.8.in | |
parent | ca709b5784c982de12d6eab361cfc9c900aec4c7 (diff) |
Add --compat option to *tables-nft and *-nft-restore commands
The flag sets nft_handle::compat boolean, indicating a compatible rule
implementation is wanted. Users expecting their created rules to be
fetched from kernel by an older version of *tables-nft may use this to
avoid potential compatibility issues.
Changes since v1:
- Expect short option '-C' in {ip,ip6,eb}tables-nft-restore command line
parser
- Support -C/--compat in arptables-nft-restore, too
- Update man pages with the new flag
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/iptables-restore.8.in')
-rw-r--r-- | iptables/iptables-restore.8.in | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/iptables/iptables-restore.8.in b/iptables/iptables-restore.8.in index aa816f79..38309992 100644 --- a/iptables/iptables-restore.8.in +++ b/iptables/iptables-restore.8.in @@ -23,11 +23,11 @@ iptables-restore \(em Restore IP Tables .P ip6tables-restore \(em Restore IPv6 Tables .SH SYNOPSIS -\fBiptables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP] +\fBiptables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fIfile\fP] .P -\fBip6tables\-restore\fP [\fB\-chntvV\fP] [\fB\-w\fP \fIseconds\fP] +\fBip6tables\-restore\fP [\fB\-cChntvV\fP] [\fB\-w\fP \fIseconds\fP] [\fB\-M\fP \fImodprobe\fP] [\fB\-T\fP \fIname\fP] [\fIfile\fP] .SH DESCRIPTION @@ -74,6 +74,13 @@ determine the executable's path. .TP \fB\-T\fP, \fB\-\-table\fP \fIname\fP Restore only the named table even if the input stream contains other ones. +.TP +\fB\-C\fP, \fB\-\-compat\fP +This flag is only relevant with \fBnft\fP-variants and ignored otherwise. If +set, rules will be created in a mostly compatible way, enabling older versions +of \fBiptables\-nft\fP to correctly parse the rules received from kernel. This +mode is only useful in very specific situations and will likely impact packet +filtering performance. .SH BUGS None known as of iptables-1.2.1 release .SH AUTHORS |