| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example:
# iptables-translate -t mangle -A PREROUTING -m rpfilter
nft add rule ip mangle PREROUTING fib saddr . iif oif != 0 counter
# iptables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--loose
nft add rule ip mangle PREROUTING fib saddr . mark oif != 0 counter
# ip6tables-translate -t mangle -A PREROUTING -m rpfilter --validmark \
--invert
nft add rule ip6 mangle PREROUTING fib saddr . mark . iif oif 0 counter
Finally, when the "--accept-local" option is specified, we can combine
with "fib saddr type" to simulate it.
But when it is used like this: "-m rpfilter --accept-local", it means "||"
relationship, so we cannot translate it to one single nft rule,
translation is not supported yet:
# iptables-translate -t mangle -A PREROUTING -m rpfilter --accept-local
nft # -t mangle -A PREROUTING -m rpfilter --accept-local
When "--accpet-local" is combined with "--invert", it means "&&"
relationship, so translation can be:
# iptables-translate -t mangle -A PREROUTING -m rpfilter \
--accept-local --invert
nft add rule ip mangle PREROUTING fib saddr type != local fib saddr \
. iif oif 0 counter
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
