diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-09-27 19:12:53 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:09 +0100 |
commit | 384958620abab397062b67fb2763e813b63f74f0 (patch) | |
tree | ec01cb88585150a37f122bfbf39ea33218bafdb6 /iptables/xtables-multi.c | |
parent | 99b85b7837707bd6c6d578c9328e1321fceb8082 (diff) |
use nf_tables and nf_tables compatibility interface
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables/xtables-multi.c')
-rw-r--r-- | iptables/xtables-multi.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/iptables/xtables-multi.c b/iptables/xtables-multi.c index 8014d5fb..c1746434 100644 --- a/iptables/xtables-multi.c +++ b/iptables/xtables-multi.c @@ -13,6 +13,10 @@ #include "ip6tables-multi.h" #endif +#ifdef ENABLE_NFTABLES +#include "xtables-multi.h" +#endif + static const struct subcommand multi_subcommands[] = { #ifdef ENABLE_IPV4 {"iptables", iptables_main}, @@ -32,6 +36,12 @@ static const struct subcommand multi_subcommands[] = { {"ip6tables-restore", ip6tables_restore_main}, {"restore6", ip6tables_restore_main}, #endif +#ifdef ENABLE_NFTABLES + {"xtables", xtables_main}, + {"xtables-save", xtables_save_main}, + {"xtables-restore", xtables_restore_main}, + {"xtables-config", xtables_config_main}, +#endif {NULL}, }; |