| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Add definition of table and chains to the optional xtables.conf file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Should be:
% iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
instead of:
% xtables -L -n -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Reported-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@soleta.eu>
|
|
|
|
| |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
To support NAT table chain configuration appropriately. Modify example
configuration file as well.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following utilities:
* xtables
* xtables-restore
* xtables-save
* xtables-config
They all use Patrick's nf_tables infrastructure plus my compatibility
layer.
xtables, xtables-restore and xtables-save are syntax compatible with
ip[6]tables, ip[6]tables-restore and ip[6]tables-save.
Semantics aims to be similar, still the main exception is that there
is no commit operation. Thus, we incrementally add/delete rules without
entire table locking.
The following options are also not yet implemented:
-Z (this requires adding expr->ops->reset(...) so nft_counters can reset
internal state of expressions while dumping it)
-R and -E (this requires adding this feature to nf_tables)
-f (can be implemented with expressions: payload 6 (2-bytes) + bitwise a&b^!b + cmp neq 0)
-IPv6 support.
But those are a matter of time to get them done.
A new utility, xtables-config, is available to register tables and
chains. By default there is a configuration file that adds backward
compatible tables and chains under iptables/etc/xtables.conf. You have
to call this utility first to register tables and chains.
However, it would be possible to automagically register tables and
chains while using xtables and xtables-restore to get similar operation
than with iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pablo suggested to make it depend on lnf-conntrack, and get rid of
the example config file as well.
The problem is that the file must be in a fixed path,
/etc/xtables/connlabel.conf, else userspace needs to "guess-the-right-file"
when translating names to their bit values (and vice versa).
Originally "make install" did put an example file into /etc/xtables/,
but distributors complained about iptables ignoring the sysconfdir.
So rather remove the example file, the man-page explains the format,
and connlabels are inherently system-specific anyway.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
allows to "tag" connections with up to 128 label names.
Labels are defined in /etc/xtables/connlabel.conf, example:
0 from eth0
1 via eth0
Labels can then be attached to flows, e.g.
-A PREROUTING -i eth0 -m connlabel --label "from eth0" --set
Signed-off-by: Florian Westphal <fw@strlen.de>
|