| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a multiple spaces issue. The problem arises when a rule
set loaded through iptables-compat-restore is listed in nft.
Before this commit, two spaces were printed after every match
translation:
$ sudo iptables-save
*filter
:INPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80:85 -m ttl --ttl-gt 5 -j ACCEPT
COMMIT
$ sudo iptables-compat-restore iptables-save
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
ct state related,established counter packets 0 bytes 0 accept
^^
ip protocol tcp tcp dport 80-85 ip ttl gt 5 counter packets 0 bytes 0 accept
^^ ^^
}
}
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add translation of the ecn match to nftables.
Examples:
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn not-ect counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn ect1 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn ect0 counter
# iptables-translate -A INPUT -m ecn --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn ce counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 0
nft add rule ip filter INPUT ip ecn != not-ect counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 1
nft add rule ip filter INPUT ip ecn != ect1 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 2
nft add rule ip filter INPUT ip ecn != ect0 counter
# iptables-translate -A INPUT -m ecn ! --ecn-ip-ect 3
nft add rule ip filter INPUT ip ecn != ce counter
Signed-off-by: Roberto García <rodanber@gmail.com>
Reviewed-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
Patrick submitted this patch by 9th Jun 2011, I'm recovering
and applying it to iptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|